Tracking malware root causes with an event graph

ABSTRACT

An event graph can be generated, and, upon malware detection, traversed backward to identify a root cause associated with the malware detection. Using this information, rules for earlier malware detection can be created by analyzing the event graph proximal to the root cause rather than proximal to the malware detection trigger.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/039,350 filed on Sep. 30, 2020, which is a continuation of U.S.patent application Ser. No. 16/401,565 filed on May 2, 2019 (now U.S.Pat. No. 10,817,602), which is a continuation of U.S. patent applicationSer. No. 15/924,449 (now U.S. Pat. No. 10,489,588) filed on Mar. 19,2018, and U.S. patent application Ser. No. 15/924,460 (now U.S. Pat. No.10,460,105) filed on Mar. 19, 2018, where each of U.S. patentapplication Ser. Nos. 15/924,449 and 15/924,460 is a continuation ofU.S. patent application Ser. No. 15/484,830 (now U.S. Pat. No.9,928,366) filed on Apr. 11, 2017, which is a continuation-in-part ofU.S. patent application Ser. No. 15/130,244 (now U.S. Pat. No.9,967,267) filed on Apr. 15, 2016, with the entire contents of each ofthese applications hereby incorporated herein by reference. U.S. patentapplication Ser. No. 16/401,565 also claims priority to United KingdomPat. App. No. 1610609.8 filed on Jun. 17, 2016, and United Kingdom Pat.App. No. 1611301.1 filed on Jun. 29, 2016, with the entire contents ofeach of these applications hereby incorporated herein by reference.

TECHNICAL FIELD

This application relates to forensic analysis of computing activity,e.g., to techniques for identifying root causes of security compromisesin a complex computing environment, and to malware detection using anevent graph.

BACKGROUND

As malware becomes more sophisticated, it has become increasinglydifficult to identify the impact of a security compromise, even after anevent is detected, and it has become increasingly difficult todistinguish malicious computing activity from other computer processesand user activity. There remains a need for improved techniques forforensic analysis to assist an investigator investigating securityevents, and there generally remains a need for improved techniques fordetecting malware on endpoints in an enterprise network.

SUMMARY

A data recorder stores endpoint activity on an ongoing basis assequences of events that causally relate computer objects such asprocesses and files. When a security event is detected, an event graphmay be generated based on these causal relationships among the computingobjects. For a root cause analysis, the event graph may be traversed ina reverse order from the point of an identified security event (e.g., amalware detection event) to preceding computing objects, while applyingone or more cause identification rules to identify a root cause of thesecurity event. Once a root cause is identified, the event graph may betraversed forward from the root cause to identify other computingobjects that are potentially compromised by the root cause.

An aspect includes a computer program product for forensic analysis forcomputer processes, where the computer program product includes computerexecutable code embodied in a non-transitory computer readable mediumthat, when executing on a computing device, performs the steps ofinstrumenting a first endpoint to monitor a number of causalrelationships among a number of computing objects and to record asequence of events causally relating the number of computing objects,detecting a security compromise event associated with one of the numberof computing objects, and in response to detecting the securitycompromise event, traversing an event graph based on the sequence ofevents in a reverse order from the one of the computing objectsassociated with the security compromise event to one or more precedingones of the computing objects. The computer program product may alsoinclude code that performs the steps of applying a cause identificationrule to the preceding ones of the computing objects and the causalrelationships while traversing the event graph to identify one of thecomputing objects as a cause of the security compromise event, andtraversing the event graph forward from the cause of the securitycompromise event to identify one or more other ones of the computingobjects compromised by the cause.

In another aspect, a method for forensic analysis for computer processesmay include instrumenting a first endpoint to monitor a number of causalrelationships among a number of computing objects and to record asequence of events causally relating the number of computing objects,detecting a security event associated with one of the number ofcomputing objects, and in response to detecting the security event,traversing an event graph based on the sequence of events in a reverseorder from the one of the computing objects associated with the securityevent to one or more preceding ones of the computing objects. The methodmay also include applying a cause identification rule to the precedingones of the computing objects and the causal relationships whiletraversing the event graph to identify one of the computing objects as acause of the security event, and traversing the event graph forward fromthe cause of the security event to identify one or more other ones ofthe computing objects affected by the cause.

Implementations may include one or more of the following features. Thenumber of causal relationships may include one or more of a data flow, acontrol flow, and a network flow. Detecting the security event mayinclude detecting a security compromise by applying static analysis tosoftware objects on the first endpoint. Detecting the security event mayinclude detecting a security compromise by applying behavioral analysisto code executing on the first endpoint. Detecting the security eventmay include detecting a hardware change. Detecting the security eventmay include detecting a potential data leakage. The one or morecomputing objects may include one or more types of computing objectsselected from a group consisting of a data file, a process, anapplication, a registry entry, a network address, and a peripheraldevice. The one or more computing objects may include one or morenetwork addresses, the one or more network addresses including at leastone of a uniform resource locator (URL), an internet protocol (IP)address, and a domain name. The one or more computing objects mayinclude one or more peripheral devices, the one or more peripheraldevices including at least one of a universal serial bus (USB) memory, acamera, a printer, and a keyboard. A number of events within thesequence of events may be preserved for a predetermined time window,where the predetermined time window has a different duration for atleast two types of computing objects. The one or more computing objectsmay include at least one computing object on a device other than thefirst endpoint. The device may include at least one of a second endpointand a server. The cause identification rule may associate the cause withone or more common malware entry points. The one or more common malwareentry points may include at least one of a word processing application,an electronic mail application, a spreadsheet application, a browser,and a universal serial bus (USB) drive. The cause identification rulemay associate the cause with a combination of a first process invoking asecond process and then providing data to the second process. The firstprocess invoking the second process may include at least one of aspawning, a hijacking, and a remote launch over a network. Providingdata to the second process may include creating a file for use by thesecond process. The method may further include generating the eventgraph.

In an aspect, a system for forensic analysis for computer processesincludes a first endpoint, a data recorder instrumented to monitor anumber of causal relationships among a number of computing objects onthe first endpoint and to record a sequence of events causally relatingthe number of computing objects, and a processor and a memory disposedon the first endpoint or in communication with the first endpoint. Thememory may bear computer code that, when executing on the processor,performs the steps of detecting a security event associated with one ofthe number of computing objects on the first endpoint, and, in responseto detecting the security event, traversing an event graph based on thesequence of events in a reverse order from the one of the computingobjects associated with the security event to one or more preceding onesof the computing objects. The memory may further bear computer codethat, when executing on the processor, performs the steps of applying acause identification rule to the preceding ones of the computing objectsand the causal relationships while traversing the event graph toidentify one of the computing objects as a cause of the security event,and traversing the event graph forward from the cause of the securityevent to identify one or more other ones of the computing objectsaffected by the cause.

A data recorder stores endpoint activity on an ongoing basis assequences of events that causally relate computer objects such asprocesses and files, and patterns within this event graph can be used todetect the presence of malware on the endpoint. The underlying recordingprocess may be dynamically adjusted in order to vary the amount andlocation of recording as the security state of the endpoint changes overtime.

In an aspect, a computer program product for detecting malware on anendpoint in an enterprise network may include computer executable codeembodied in a non-transitory computer readable medium that, whenexecuting on the endpoint, performs the steps of instrumenting theendpoint to monitor a number of causal relationships among a number ofcomputing objects at a plurality of logical locations within a computingenvironment on the endpoint, selecting a set of logical locations fromthe plurality of logical locations, recording a sequence of eventscausally relating the number of computing objects at the set of logicallocations, creating an event graph based on the sequence of events,evaluating a security state of the endpoint based on the event graph,adjusting the set of logical locations by adding a new logical location,removing an existing logical location, or changing a level of filteringat one of the set of logical locations according to the security stateof the endpoint, and remediating the endpoint when the security state iscompromised.

In another aspect, a method for malware detection includes instrumentinga first endpoint to monitor a number of causal relationships among anumber of computing objects at a plurality of logical locations within acomputing environment related to the first endpoint, selecting a firstset of logical locations from the plurality of logical locations,recording a sequence of events causally relating the number of computingobjects at the first set of logical locations, creating an event graphbased on the sequence of events, applying a malware detection rule tothe event graph, and remediating the first endpoint when the malwaredetection rule and the event graph indicate a compromised securitystate.

Implementations may include one or more of the following features.Selecting the first set of logical locations may include selecting agroup from the plurality of logical locations based on exposure to anexternal environment. Selecting the first set of logical locations mayinclude selecting a group from the plurality of logical locations basedon reputation. The method may further include excluding at least one ofthe plurality of logical locations associated with a known, goodprocess. The method may further include selecting a second set oflogical locations different from the first set of logical locations inresponse to an observed event graph for the sequence of events. Themethod may further include adding one or more of the plurality oflogical locations to the first set of logical locations in response to adetected increase in security risk. The method may further includeremoving one of the plurality of logical locations from the first set oflogical locations in response to a detected decrease in security risk.The method may further include filtering one or more of the events inthe sequence of events according to reputation. The plurality of logicallocations may include at least one endpoint separate from the firstendpoint. The plurality of logical locations may include at least oneprogramming interface to a human interface device. The method mayfurther include identifying one of the computing objects as a cause ofthe compromised security state and remediating the one of the computingobjects. The method may further include traversing the event graphforward from the cause to identify one or more other ones of thecomputing objects affected by the cause. The number of causalrelationships may include a data flow. The number of causalrelationships may include a control flow. The number of causalrelationships may include a network flow. The one or more computingobjects may include one or more types of computing objects selected froma group consisting of a data file, a process, an application, a registryentry, a network address, and a peripheral device. A number of eventswithin the sequence of events may be preserved for a predetermined timewindow, and where the predetermined time window has a different durationfor at least two different types of computing objects.

In an aspect, an endpoint may include a network interface, a memory, anda processor configured by computer executable code stored in the memoryto detect malware by performing the steps of instrumenting the endpointto monitor a number of causal relationships among a number of computingobjects at a plurality of logical locations within a computingenvironment related to the endpoint, selecting a first set of logicallocations from the plurality of logical locations, recording a sequenceof events causally relating the number of computing objects at the firstset of logical locations, creating an event graph based on the sequenceof events, applying a malware detection rule to the event graph, andremediating the endpoint when the malware detection rule and the eventgraph indicate a compromised security state. The processor may befurther configured to adjust the set of logical locations by adding anew logical location, removing an existing logical location, or changinga level of filtering at one of the set of logical locations according toa security state of the endpoint.

BRIEF DESCRIPTION OF THE FIGURES

The foregoing and other objects, features and advantages of the devices,systems, and methods described herein will be apparent from thefollowing description of particular embodiments thereof, as illustratedin the accompanying drawings. The drawings are not necessarily to scale,emphasis instead being placed upon illustrating the principles of thedevices, systems, and methods described herein.

FIG. 1 illustrates an environment for threat management.

FIG. 2 illustrates a computer system.

FIG. 3 illustrates a system for forensic analysis for computerprocesses.

FIG. 4 is a flowchart of a method for forensic analysis for computerprocesses.

FIG. 5 illustrates an event graph.

FIG. 6 shows a method for malware detection using an event graph.

DETAILED DESCRIPTION

Embodiments will now be described with reference to the accompanyingfigures, in which preferred embodiments are shown. The foregoing may,however, be embodied in many different forms and should not be construedas limited to the illustrated embodiments set forth herein.

All documents mentioned herein are hereby incorporated by reference intheir entirety. References to items in the singular should be understoodto include items in the plural, and vice versa, unless explicitly statedotherwise or clear from the context. Grammatical conjunctions areintended to express any and all disjunctive and conjunctive combinationsof conjoined clauses, sentences, words, and the like, unless otherwisestated or clear from the context. Thus, the term “or” should generallybe understood to mean “and/or” and so forth.

Recitation of ranges of values herein are not intended to be limiting,referring instead individually to any and all values falling within therange, unless otherwise indicated herein, and each separate value withinsuch a range is incorporated into the specification as if it wereindividually recited herein. The words “about,” “approximately,” or thelike, when accompanying a numerical value, are to be construed asindicating a deviation as would be appreciated by one of ordinary skillin the art to operate satisfactorily for an intended purpose. Ranges ofvalues and/or numeric values are provided herein as examples only, anddo not constitute a limitation on the scope of the describedembodiments. The use of any and all examples, or exemplary language(“e.g.,” “such as,” or the like) provided herein, is intended merely tobetter illuminate the embodiments and does not pose a limitation on thescope of the embodiments or the claims. No language in the specificationshould be construed as indicating any unclaimed element as essential tothe practice of the embodiments.

In the following description, it is understood that terms such as“first,” “second,” “third,” “above,” “below,” and the like, are words ofconvenience and are not to be construed as limiting terms unlessexpressly state otherwise.

FIG. 1 illustrates an environment for threat management. Specifically,FIG. 1 depicts a block diagram of a threat management system providingprotection to an enterprise against a plurality of threats-a context inwhich the following techniques may usefully be deployed. One aspectrelates to corporate policy management and implementation through aunified threat management facility 100. As will be explained in moredetail below, a threat management facility 100 may be used to protectcomputer assets from many threats, both computer-generated threats anduser-generated threats. The threat management facility 100 may bemulti-dimensional in that it may be designed to protect corporate assetsfrom a variety of threats and it may be adapted to learn about threatsin one dimension (e.g. worm detection) and apply the knowledge inanother dimension (e.g. spam detection). Policy management is one of thedimensions for which the threat management facility can provide acontrol capability. A corporation or other entity may institute a policythat prevents certain people (e.g. employees, groups of employees, typesof employees, guest of the corporation, etc.) from accessing certaintypes of computer programs. For example, the corporation may elect toprevent its accounting department from using a particular version of aninstant messaging service or all such services. In this example, thepolicy management facility 112 may be used to update the policies of allcorporate computing assets with a proper policy control facility or itmay update a select few. By using the threat management facility 100 tofacilitate the setting, updating and control of such policies thecorporation only needs to be concerned with keeping the threatmanagement facility 100 up to date on such policies. The threatmanagement facility 100 may take care of updating all of the othercorporate computing assets.

It should be understood that the threat management facility 100 mayprovide multiple services, and policy management may be offered as oneof the services. We will now turn to a description of certaincapabilities and components of the threat management system 100.

Over recent years, malware has become a major problem across theInternet 154. From both a technical perspective and a user perspective,the categorization of a specific threat type, whether as virus, worm,spam, phishing exploration, spyware, adware, or the like, is becomingreduced in significance. The threat, no matter how it is categorized,may need to be stopped at various points of a networked computingenvironment, such as one of an enterprise facility 102, including at oneor more laptops, desktops, servers, gateways, communication ports,handheld or mobile devices, firewalls, and the like. Similarly, theremay be less and less benefit to the user in having different solutionsfor known and unknown threats. As such, a consolidated threat managementfacility 100 may need to apply a similar set of technologies andcapabilities for all threats. In certain embodiments, the threatmanagement facility 100 may provide a single agent on the desktop, and asingle scan of any suspect file. This approach may eliminate theinevitable overlaps and gaps in protection caused by treating virusesand spyware as separate problems, while simultaneously simplifyingadministration and minimizing desktop load. As the number and range oftypes of threats has increased, so may have the level of connectivityavailable to all IT users. This may have led to a rapid increase in thespeed at which threats may move. Today, an unprotected PC connected tothe Internet 154 may be infected quickly (perhaps within 10 minutes)which may require acceleration for the delivery of threat protection.Where once monthly updates may have been sufficient, the threatmanagement facility 100 may automatically and seamlessly update itsproduct set against spam and virus threats quickly, for instance, everyfive minutes, every minute, continuously, or the like. Analysis andtesting may be increasingly automated, and also may be performed morefrequently; for instance, it may be completed in 15 minutes, and may doso without compromising quality. The threat management facility 100 mayalso extend techniques that may have been developed for virus andmalware protection, and provide them to enterprise facility 102 networkadministrators to better control their environments. In addition tostopping malicious code, the threat management facility 100 may providepolicy management that may be able to control legitimate applications,such as VoIP, instant messaging, peer-to-peer file-sharing, and thelike, that may undermine productivity and network performance within theenterprise facility 102.

The threat management facility 100 may provide an enterprise facility102 protection from computer-based malware, including viruses, spyware,adware, Trojans, intrusion, spam, policy abuse, uncontrolled access, andthe like, where the enterprise facility 102 may be any entity with anetworked computer-based infrastructure. In an embodiment, FIG. 1 maydepict a block diagram of the threat management facility 100 providingprotection to an enterprise against a plurality of threats. Theenterprise facility 102 may be corporate, commercial, educational,governmental, or the like, and the enterprise facility's 102 computernetwork may be distributed amongst a plurality of facilities, and in aplurality of geographical locations, and may include administration 134,a firewall 138A, an appliance 140A, server 142A, network devices 148A-B,clients 144A-D, such as protected by computer security facilities 152,and the like. It will be understood that any reference herein to clientfacilities may include the clients 144A-D shown in FIG. 1 andvice-versa. The threat management facility 100 may include a pluralityof functions, such as security management facility 122, policymanagement facility 112, update facility 120, definitions facility 114,network access rules facility 124, remedial action facility 128,detection techniques facility 130, testing facility 118, threat researchfacility 132, and the like. In embodiments, the threat protectionprovided by the threat management facility 100 may extend beyond thenetwork boundaries of the enterprise facility 102 to include clients144D (or client facilities) that have moved into network connectivitynot directly associated or controlled by the enterprise facility 102.Threats to client facilities may come from a plurality of sources, suchas from network threats 104, physical proximity threats 110, secondarylocation threats 108, and the like. Clients 144A-D may be protected fromthreats even when the client 144A-D is not located in association withthe enterprise 102, such as when a client 144E-F moves in and out of theenterprise facility 102, for example when interfacing with anunprotected server 142C through the Internet 154, when a client 144F ismoving into a secondary location threat 108 such as interfacing withcomponents 140B, 142B, 148C, 148D that are not protected, and the like.In embodiments, the threat management facility 100 may provide anenterprise facility 102 protection from a plurality of threats tomultiplatform computer resources in a plurality of locations and networkconfigurations, with an integrated system approach.

In embodiments, the threat management facility 100 may be provided as astand-alone solution. In other embodiments, the threat managementfacility 100 may be integrated into a third-party product. Anapplication programming interface (e.g. a source code interface) may beprovided such that the threat management facility 100 may be integrated.For instance, the threat management facility 100 may be stand-alone inthat it provides direct threat protection to an enterprise or computerresource, where protection is subscribed to directly 100. Alternatively,the threat management facility 100 may offer protection indirectly,through a third-party product, where an enterprise may subscribe toservices through the third-party product, and threat protection to theenterprise may be provided by the threat management facility 100 throughthe third-party product.

The security management facility 122 may include a plurality of elementsthat provide protection from malware to enterprise facility 102 computerresources, including endpoint security and control, email security andcontrol, web security and control, reputation-based filtering, controlof unauthorized users, control of guest and non-compliant computers, andthe like. The security management facility 122 may be a softwareapplication that may provide malicious code and malicious applicationprotection to a client facility computing resource. The securitymanagement facility 122 may have the ability to scan the client facilityfiles for malicious code, remove or quarantine certain applications andfiles, prevent certain actions, perform remedial actions and performother security measures. In embodiments, scanning the client facilitymay include scanning some or all of the files stored to the clientfacility on a periodic basis, scanning an application when theapplication is executed, scanning files as the files are transmitted toor from the client facility, or the like. The scanning of theapplications and files may be performed to detect known malicious codeor known unwanted applications. In an embodiment, new malicious code andunwanted applications may be continually developed and distributed, andupdates to the known code database may be provided on a periodic basis,on a demand basis, on an alert basis, or the like.

The security management facility 122 may provide email security andcontrol, where security management may help to eliminate spam, viruses,spyware and phishing, control of email content, and the like. Thesecurity management facility's 122 email security and control mayprotect against inbound and outbound threats, protect emailinfrastructure, prevent data leakage, provide spam filtering, and thelike. In an embodiment, security management facility 122 may provide forweb security and control, where security management may help to detector block viruses, spyware, malware, unwanted applications, help controlweb browsing, and the like, which may provide comprehensive web accesscontrol enabling safe, productive web browsing. Web security and controlmay provide Internet use policies, reporting on suspect devices,security and content filtering, active monitoring of network traffic,URI filtering, and the like. In an embodiment, the security managementfacility 122 may provide for network access control, which may providecontrol over network connections. Network control may stop unauthorized,guest, or non-compliant systems from accessing networks, and may controlnetwork traffic that may not be bypassed from the client level. Inaddition, network access control may control access to virtual privatenetworks (VPN), where VPNs may be a communications network tunneledthrough another network, establishing a logical connection acting as avirtual network. In embodiments, a VPN may be treated in the same manneras a physical network.

The security management facility 122 may provide host intrusionprevention through behavioral based protection, which may guard againstunknown threats by analyzing behavior before software code executes.Behavioral based protection may monitor code when it runs and interveneif the code is deemed to be suspicious or malicious. Advantages ofbehavioral based protection over runtime protection may include codebeing prevented from running. Whereas runtime protection may onlyinterrupt code that has already partly executed, behavioral protectioncan identify malicious code at the gateway or on the file servers anddelete the code before it can reach endpoint computers and the like.

The security management facility 122 may provide reputation filtering,which may target or identify sources of known malware. For instance,reputation filtering may include lists of URIs of known sources ofmalware or known suspicious IP addresses, or domains, say for spam, thatwhen detected may invoke an action by the threat management facility100, such as dropping them immediately. By dropping the source beforeany interaction can initiate, potential threat sources may be thwartedbefore any exchange of data can be made.

In embodiments, information may be sent from the enterprise back to athird party, a vendor, or the like, which may lead to improvedperformance of the threat management facility 100. For example, thetypes, times, and number of virus interactions that a client experiencesmay provide useful information for the preventions of future virusthreats. This type of feedback may be useful for any aspect of threatdetection. Feedback of information may also be associated with behaviorsof individuals within the enterprise, such as being associated with mostcommon violations of policy, network access, unauthorized applicationloading, unauthorized external device use, and the like. In embodiments,this type of information feedback may enable the evaluation or profilingof client actions that are violations of policy that may provide apredictive model for the improvement of enterprise policies.

The security management facility 122 may support overall security of theenterprise facility 102 network or set of enterprise facility 102networks, e.g., by providing updates of malicious code information tothe enterprise facility 102 network and associated client facilities.The updates may include a planned update, an update in reaction to athreat notice, an update in reaction to a request for an update, anupdate based on a search of known malicious code information, or thelike. The administration facility 134 may provide control over thesecurity management facility 122 when updates are performed. The updatesmay be automatically transmitted without an administration facility's134 direct control, manually transmitted by the administration facility134, or otherwise distributed. The security management facility 122 maymanage the receipt of malicious code descriptions from a provider,distribution of the malicious code descriptions to enterprise facility102 networks, distribution of the malicious code descriptions to clientfacilities, and so forth.

The threat management facility 100 may provide a policy managementfacility 112 that may be able to block non-malicious applications, suchas VoIP, instant messaging, peer-to-peer file-sharing, and the like,that may undermine productivity and network performance within theenterprise facility 102. The policy management facility 112 may be a setof rules or policies that may indicate enterprise facility 102 accesspermissions for the client facility, such as access permissionsassociated with the network, applications, external computer devices,and the like. The policy management facility 112 may include a database,a text file, a combination of databases and text files, or the like. Inan embodiment, a policy database may be a block list, a black list, anallowed list, a white list, or the like that may provide a list ofenterprise facility 102 external network locations/applications that mayor may not be accessed by the client facility. The policy managementfacility 112 may include rules that may be interpreted with respect toan enterprise facility 102 network access request to determine if therequest should be allowed. The rules may provide a generic rule for thetype of access that may be granted. The rules may be related to thepolicies of an enterprise facility 102 for access rights for theenterprise facility's 102 client facility. For example, there may be arule that does not permit access to sporting websites. When a website isrequested by the client facility, a security facility may access therules within a policy facility to determine if the requested access isrelated to a sporting website. In an embodiment, the security facilitymay analyze the requested website to determine if the website matcheswith any of the policy facility rules.

The policy management facility 112 may be similar to the securitymanagement facility 122 but with the addition of enterprise facility 102wide access rules and policies that may be distributed to maintaincontrol of client facility access to enterprise facility 102 networkresources. The policies may be defined for application type, subset ofapplication capabilities, organization hierarchy, computer facilitytype, user type, network location, time of day, connection type, or thelike. Policies may be maintained by the administration facility 134,through the threat management facility 100, in association with a thirdparty, or the like. For example, a policy may restrict IM activity toonly support personnel for communicating with customers. This may allowcommunication for departments requiring access, but may maintain thenetwork bandwidth for other activities by restricting the use of IM toonly the personnel that need access to instant messaging (IM) in supportof the enterprise facility 102. In an embodiment, the policy managementfacility 112 may be a stand-alone application, may be part of thenetwork server facility 142, may be part of the enterprise facility 102network, may be part of the client facility, or the like.

The threat management facility 100 may provide configuration management,which may be similar to policy management, but may specifically examinethe configuration set of applications, operating systems, hardware, andthe like, and manage changes to their configurations. Assessment of aconfiguration may be made against a standard configuration policy,detection of configuration changes, remediation of improperconfiguration, application of new configurations, and the like. Anenterprise may keep a set of standard configuration rules and policieswhich may represent the desired state of the device. For example, aclient firewall may be running and installed, but in the disabled state,where remediation may be to enable the firewall. In another example, theenterprise may set a rule that disallows the use of USB disks, and sendsa configuration change to all clients, which turns off USB drive accessvia a registry.

The threat management facility 100 may also provide for the removal ofapplications that potentially interfere with the operation of the threatmanagement facility 100, such as competitor products that may also beattempting similar threat management functions. The removal of suchproducts may be initiated automatically whenever such products aredetected. In the case where such applications are services are providedindirectly through a third-party product, the application may besuspended until action is taken to remove or disable the third-partyproduct's protection facility.

Threat management against a quickly evolving malware environment mayrequire timely updates, and thus an update management facility 120 maybe provided by the threat management facility 100. In addition, a policymanagement facility 112 may also require update management (e.g., asprovided by the update facility 120 herein described). The updatemanagement for the security facility 122 and policy management facility112 may be provided directly by the threat management facility 100, suchas by a hosted system or in conjunction with the administration facility134. In embodiments, the threat management facility 100 may provide forpatch management, where a patch may be an update to an operating system,an application, a system tool, or the like, where one of the reasons forthe patch is to reduce vulnerability to threats.

The security facility 122 and policy management facility 112 may pushinformation to the enterprise facility 102 network and/or clientfacility. The enterprise facility 102 network and/or client facility mayalso or instead pull information from the security facility 122 andpolicy management facility 112 network server facilities 142, or theremay be a combination of pushing and pulling of information between thesecurity facility 122 and the policy management facility 112 networkservers 142, enterprise facility 102 network, and client facilities, orthe like. For example, the enterprise facility 102 network and/or clientfacility may pull information from the security facility 122 and policymanagement facility 112 network server facility 142 may request theinformation using the security facility 122 and policy managementfacility 112 update module; the request may be based on a certain timeperiod, by a certain time, by a date, on demand, or the like. In anotherexample, the security facility 122 and policy management facility 112network servers 142 may push the information to the enterprisefacility's 102 network and/or client facility by providing notificationthat there are updates available for download and then transmitting theinformation. The combination of the security management 122 networkserver facility 142 and security update module may functionsubstantially the same as the policy management facility 112 networkserver and policy update module by providing information to theenterprise facility 102 network and the client facility in a push orpull method. In an embodiment, the policy management facility 112 andthe security facility 122 management update modules may work in concertto provide information to the enterprise facility's 102 network and/orclient facility for control of application execution. In an embodiment,the policy update module and security update module may be combined intoa single update module.

As threats are identified and characterized, the threat managementfacility 100 may create definition updates that may be used to allow thethreat management facility 100 to detect and remediate the latestmalicious software, unwanted applications, configuration and policychanges, and the like. The threat definition facility 114 may containthreat identification updates, also referred to as definition files. Adefinition file may be a virus identity file that may includedefinitions of known or potential malicious code. The virus identity(IDE) definition files may provide information that may identifymalicious code within files, applications, or the like. The definitionfiles may be accessed by security management facility 122 when scanningfiles or applications within the client facility for the determinationof malicious code that may be within the file or application. Thedefinition files may contain a number of commands, definitions, orinstructions, to be parsed and acted upon, or the like. In embodiments,the client facility may be updated with new definition filesperiodically to provide the client facility with the most recentmalicious code definitions; the updating may be performed on a set timeperiod, may be updated on demand from the client facility, may beupdated on demand from the network, may be updated on a receivedmalicious code alert, or the like. In an embodiment, the client facilitymay request an update to the definition files from an update facility120 within the network, may request updated definition files from acomputing facility external to the network, updated definition files maybe provided to the client facility 114 from within the network,definition files may be provided to the client facility from an externalcomputing facility from an external network, or the like.

A definition management facility 114 may provide timely updates ofdefinition files information to the network, client facilities, and thelike. New and altered malicious code and malicious applications may becontinually created and distributed to networks worldwide. Thedefinition files that maintain the definitions of the malicious code andmalicious application information for the protection of the networks andclient facilities may need continual updating to provide continualdefense of the network and client facility from the malicious code andmalicious applications. The definition files management may provide forautomatic and manual methods of updating the definition files. Inembodiments, the network may receive definition files and distribute thedefinition files to the network client facilities, the client facilitiesmay receive the definition files directly, or the network and clientfacilities may both receive the definition files, or the like. In anembodiment, the definition files may be updated on a fixed periodicbasis, on demand by the network and/or the client facility, as a resultof an alert of a new malicious code or malicious application, or thelike. In an embodiment, the definition files may be released as asupplemental file to an existing definition files to provide for rapidupdating of the definition files.

In a similar manner, the security management facility 122 may be used toscan an outgoing file and verify that the outgoing file is permitted tobe transmitted per the enterprise facility 102 rules and policies. Bychecking outgoing files, the security management facility 122 may beable discover malicious code infected files that were not detected asincoming files as a result of the client facility having been updatedwith either new definition files or policy management facility 112information. The definition files may discover the malicious codeinfected file by having received updates of developing malicious codefrom the administration facility 134, updates from a definition filesprovider, or the like. The policy management facility 112 may discoverthe malicious code infected file by having received new updates from theadministration facility 134, from a rules provider, or the like.

The threat management facility 100 may provide controlled access to theenterprise facility 102 networks. For instance, a manager of theenterprise facility 102 may want to restrict access to certainapplications, networks, files, printers, servers, databases, or thelike. In addition, the manager of the enterprise facility 102 may wantto restrict user access based on certain criteria, such as the user'slocation, usage history, need to know, job position, connection type,time of day, method of authentication, client-system configuration, orthe like. Network access rules may be developed for the enterprisefacility 102, or pre-packaged by a supplier, and managed by the threatmanagement facility 100 in conjunction with the administration facility134.

A network access rules facility 124 may be responsible for determiningif a client facility application should be granted access to a requestednetwork location. The network location may be on the same network as thefacility or may be on another network. In an embodiment, the networkaccess rules facility 124 may verify access rights for client facilitiesfrom within the network or may verify access rights of computerfacilities from external networks. When network access for a clientfacility is denied, the network access rules facility 124 may send aninformation file to the client facility containing. For example, theinformation sent by the network access rules facility 124 may be a datafile. The data file may contain a number of commands, definitions,instructions, or the like to be parsed and acted upon through theremedial action facility 128, or the like. The information sent by thenetwork access facility rules facility 124 may be a command or commandfile that the remedial action facility 128 may access and take actionupon.

The network access rules facility 124 may include databases such as ablock list, a black list, an allowed list, a white list, an unacceptablenetwork site database, an acceptable network site database, a networksite reputation database, or the like of network access locations thatmay or may not be accessed by the client facility. Additionally, thenetwork access rules facility 124 may incorporate rule evaluation; therule evaluation may parse network access requests and apply the parsedinformation to network access rules. The network access rule facility124 may have a generic set of rules that may be in support of anenterprise facility's 102 network access policies, such as denyingaccess to certain types of websites, controlling instant messengeraccesses, or the like. Rule evaluation may include regular expressionrule evaluation, or other rule evaluation method for interpreting thenetwork access request and comparing the interpretation to theestablished rules for network access. In an embodiment, the networkaccess rules facility 124 may receive a rules evaluation request fromthe network access control and may return the rules evaluation to thenetwork access control.

Similar to the threat definitions facility 114, the network access rulefacility 124 may provide updated rules and policies to the enterprisefacility 102. The network access rules facility 124 may be maintained bythe network administration facility 134, using network access rulesfacility 124 management. In an embodiment, the network administrationfacility 134 may be able to maintain a set of access rules manually byadding rules, changing rules, deleting rules, or the like. Additionally,the administration facility 134 may retrieve predefined rule sets from aremote provider of a set of rules to be applied to an entire enterprisefacility 102. The network administration facility 134 may be able tomodify the predefined rules as needed for a particular enterprisefacility 102 using the network access rules management facility 124.

When a threat or policy violation is detected by the threat managementfacility 100, the threat management facility 100 may perform or initiatea remedial action facility 128. Remedial action may take a plurality offorms, such as terminating or modifying an ongoing process orinteraction, sending a warning to a client or administration facility134 of an ongoing process or interaction, executing a program orapplication to remediate against a threat or violation, recordinteractions for subsequent evaluation, or the like. Remedial action maybe associated with an application that responds to information that aclient facility network access request has been denied. In anembodiment, when the data file is received, remedial action may parsethe data file, interpret the various aspects of the data file, and acton the parsed data file information to determine actions to be taken onan application requesting access to a denied network location. In anembodiment, when the data file is received, remedial action may accessthe threat definitions to parse the data file and determine an action tobe taken on an application requesting access to a denied networklocation. In an embodiment, the information received from the facilitymay be a command or a command file. The remedial action facility maycarry out any commands that are received or parsed from a data file fromthe facility without performing any interpretation of the commands. Inan embodiment, the remedial action facility may interact with thereceived information and may perform various actions on a clientrequesting access to a denied network location. The action may be one ormore of continuing to block all requests to a denied network location, amalicious code scan on the application, a malicious code scan on theclient facility, quarantine of the application, terminating theapplication, isolation of the application, isolation of the clientfacility to a location within the network that restricts network access,blocking a network access port from a client facility, reporting theapplication to an administration facility 134, or the like.

Remedial action may be provided as a result of a detection of a threator violation. The detection techniques facility 130 may includemonitoring the enterprise facility 102 network or endpoint devices, suchas by monitoring streaming data through the gateway, across the network,through routers and hubs, and the like. The detection techniquesfacility 130 may include monitoring activity and stored files oncomputing facilities, such as on server facilities 142, desktopcomputers, laptop computers, other mobile computing devices, and thelike. Detection techniques, such as scanning a computer's stored files,may provide the capability of checking files for stored threats, eitherin the active or passive state. Detection techniques, such as streamingfile management, may provide the capability of checking files receivedat the network, gateway facility, client facility, and the like. Thismay provide the capability of not allowing a streaming file or portionsof the streaming file containing malicious code from entering the clientfacility, gateway facility, or network. In an embodiment, the streamingfile may be broken into blocks of information, and a plurality of virusidentities may be used to check each of the blocks of information formalicious code. In an embodiment, any blocks that are not determined tobe clear of malicious code may not be delivered to the client facility,gateway facility, or network.

Verifying that the threat management facility 100 is detecting threatsand violations to established policy, may require the ability to testthe system, either at the system level or for a particular computingcomponent. The testing facility 118 may allow the administrationfacility 134 to coordinate the testing of the security configurations ofclient facility computing facilities on a network. The administrationfacility 134 may be able to send test files to a set of client facilitycomputing facilities to test the ability of the client facility todetermine acceptability of the test file. After the test file has beentransmitted, a recording facility may record the actions taken by theclient facility in reaction to the test file. The recording facility mayaggregate the testing information from the client facility and reportthe testing information to the administration facility 134. Theadministration facility 134 may be able to determine the level ofpreparedness of the client facility computing facilities by the reportedinformation. Remedial action may be taken for any of the client facilitycomputing facilities as determined by the administration facility 134;remedial action may be taken by the administration facility 134 or bythe user of the client facility.

The threat research facility 132 may provide a continuously ongoingeffort to maintain the threat protection capabilities of the threatmanagement facility 100 in light of continuous generation of new orevolved forms of malware. Threat research may include researchers andanalysts working on known and emerging malware, such as viruses,rootkits a spyware, as well as other computer threats such as phishing,spam, scams, and the like. In embodiments, through threat research, thethreat management facility 100 may be able to provide swift, globalresponses to the latest threats.

The threat management facility 100 may provide threat protection to theenterprise facility 102, where the enterprise facility 102 may include aplurality of networked components, such as client facility, serverfacility 142, administration facility 134, firewall 138, gateway, hubsand routers 148, threat management appliance 140, desktop users, mobileusers, and the like. In embodiments, it may be the endpoint computersecurity facility 152, located on a computer's desktop, which mayprovide threat protection to a user, and associated enterprise facility102. In embodiments, the term endpoint may refer to a computer systemthat may source data, receive data, evaluate data, buffer data, or thelike (such as a user's desktop computer as an endpoint computer), afirewall as a data evaluation endpoint computer system, a laptop as amobile endpoint computer, a personal digital assistant or tablet as ahand-held endpoint computer, a mobile phone as an endpoint computer, orthe like. In embodiments, endpoint may refer to a source or destinationfor data, including such components where the destination ischaracterized by an evaluation point for data, and where the data may besent to a subsequent destination after evaluation. The endpoint computersecurity facility 152 may be an application loaded onto the computerplatform or computer support component, where the application mayaccommodate the plurality of computer platforms and/or functionalrequirements of the component. For instance, a client facility computermay be one of a plurality of computer platforms, such as Windows,Macintosh, Linux, and the like, where the endpoint computer securityfacility 152 may be adapted to the specific platform, while maintaininga uniform product and product services across platforms. Additionally,components may have different functions to serve within the enterprisefacility's 102 networked computer-based infrastructure. For instance,computer support components provided as hubs and routers 148, serverfacility 142, firewalls 138, and the like, may require unique securityapplication software to protect their portion of the systeminfrastructure, while providing an element in an integrated threatmanagement system that extends out beyond the threat management facility100 to incorporate all computer resources under its protection.

The enterprise facility 102 may include a plurality of client facilitycomputing platforms on which the endpoint computer security facility 152is adapted. A client facility computing platform may be a computersystem that is able to access a service on another computer, such as aserver facility 142, via a network. This client facility server facility142 model may apply to a plurality of networked applications, such as aclient facility connecting to an enterprise facility 102 applicationserver facility 142, a web browser client facility connecting to a webserver facility 142, an e-mail client facility retrieving e-mail from anInternet 154 service provider's mail storage servers 142, and the like.In embodiments, traditional large client facility applications may beswitched to websites, which may increase the browser's role as a clientfacility. Clients 144 may be classified as a function of the extent towhich they perform their own processing. For instance, client facilitiesare sometimes classified as a fat client facility or thin clientfacility. The fat client facility, also known as a thick client facilityor rich client facility, may be a client facility that performs the bulkof data processing operations itself, and does not necessarily rely onthe server facility 142. The fat client facility may be most common inthe form of a personal computer, where the personal computer may operateindependent of any server facility 142. Programming environments for fatclients 144 may include CURI, Delphi, Droplets, Java, win32, X11, andthe like. Thin clients 144 may offer minimal processing capabilities,for instance, the thin client facility may primarily provide a graphicaluser interface provided by an application server facility 142, which mayperform the bulk of any required data processing. Programmingenvironments for thin clients 144 may include JavaScript/AJAX, ASP, JSP,Ruby on Rails, Python's Django, PUP, and the like. The client facilitymay also be a mix of the two, such as processing data locally, butrelying on a server facility 142 for data storage. As a result, thishybrid client facility may provide benefits from both the fat clientfacility type, such as multimedia support and high performance, and thethin client facility type, such as high manageability and flexibility.In embodiments, the threat management facility 100, and associatedendpoint computer security facility 152, may provide seamless threatprotection to the plurality of clients 144, and client facility types,across the enterprise facility 102.

The enterprise facility 102 may include a plurality of server facilities142, such as application servers, communications servers, file servers,database servers, proxy servers, mail servers, fax servers, gameservers, web servers, and the like. A server facility 142, which mayalso be referred to as a server facility 142 application, serverfacility 142 operating system, server facility 142 computer, or thelike, may be an application program or operating system that acceptsclient facility connections in order to service requests from clients144. The server facility 142 application may run on the same computer asthe client facility using it, or the server facility 142 and the clientfacility may be running on different computers and communicating acrossthe network. Server facility 142 applications may be divided amongserver facility 142 computers, with the dividing depending upon theworkload. For instance, under light load conditions all server facility142 applications may run on a single computer and under heavy loadconditions a single server facility 142 application may run on multiplecomputers. In embodiments, the threat management facility 100 mayprovide threat protection to server facilities 142 within the enterprisefacility 102 as load conditions and application changes are made.

A server facility 142 may also be an appliance facility 140, where theappliance facility 140 provides specific services onto the network.Though the appliance facility 140 is a server facility 142 computer,that may be loaded with a server facility 142 operating system andserver facility 142 application, the enterprise facility 102 user maynot need to configure it, as the configuration may have been performedby a third party. In an embodiment, an enterprise facility 102 appliancemay be a server facility 142 appliance that has been configured andadapted for use with the threat management facility 100, and locatedwithin the facilities of the enterprise facility 102. The enterprisefacility's 102 threat management appliance may enable the enterprisefacility 102 to administer an on-site local managed threat protectionconfiguration, where the administration facility 134 may access thethreat resources through an interface, such as a web portal. In analternate embodiment, the enterprise facility 102 may be managedremotely from a third party, vendor, or the like, without an appliancefacility 140 located within the enterprise facility 102. In thisinstance, the appliance functionality may be a shared hardware productbetween pluralities of enterprises 102. In embodiments, the appliancefacility 140 may be located at the enterprise facility 102, where theenterprise facility 102 maintains a degree of control. In embodiments, ahosted service may be provided, where the appliance 140 may still be anon-site black box to the enterprise facility 102, physically placedthere because of infrastructure requirements, but managed by a thirdparty, vendor, or the like.

Simple server facility 142 appliances may also be utilized across theenterprise facility's 102 network infrastructure, such as switches,routers, wireless routers, hubs and routers, gateways, print servers,net modems, and the like. These simple server facility appliances maynot require configuration by the enterprise facility 102, but mayrequire protection from threats via an endpoint computer securityfacility 152. These appliances may provide interconnection serviceswithin the enterprise facility 102 network, and therefore may advancethe spread of a threat if not properly protected.

A client facility may be protected from threats from within theenterprise facility 102 network using a personal firewall, which may bea hardware firewall, software firewall, or combination of these, thatcontrols network traffic to and from a client. The personal firewall maypermit or deny communications based on a security policy. Personalfirewalls may be designed for use by end-users, which may result inprotection for only the computer on which it's installed. Personalfirewalls may be able to control network traffic by providing promptseach time a connection is attempted and adapting security policyaccordingly. Personal firewalls may also provide some level of intrusiondetection, which may allow the software to terminate or blockconnectivity where it suspects an intrusion is being attempted. Otherfeatures that may be provided by a personal firewall may include alertsabout outgoing connection attempts, control of program access tonetworks, hiding the client from port scans by not responding tounsolicited network traffic, monitoring of applications that may belistening for incoming connections, monitoring and regulation ofincoming and outgoing network traffic, prevention of unwanted networktraffic from installed applications, reporting applications that makeconnection attempts, reporting destination servers with whichapplications may be attempting communications, and the like. Inembodiments, the personal firewall may be provided by the threatmanagement facility 100.

Another important component that may be protected by an endpointcomputer security facility 152 is a network firewall facility 138, whichmay be a hardware or software device that may be configured to permit,deny, or proxy data through a computer network that has different levelsof trust in its source of data. For instance, an internal enterprisefacility 102 network may have a high level of trust, because the sourceof all data has been sourced from within the enterprise facility 102. Anexample of a low level of trust is the Internet 154, because the sourceof data may be unknown. A zone with an intermediate trust level,situated between the Internet 154 and a trusted internal network, may bereferred to as a “perimeter network.” Since firewall facilities 138represent boundaries between threat levels, the endpoint computersecurity facility 152 associated with the firewall facility 138 mayprovide resources that may control the flow of threats at thisenterprise facility 102 network entry point. Firewall facilities 138,and associated endpoint computer security facility 152, may also beassociated with a network node that may be equipped for interfacingbetween networks that use different protocols. In embodiments, theendpoint computer security facility 152 may provide threat protection ina plurality of network infrastructure locations, such as at theenterprise facility 102 network entry point, e.g., the firewall facility138 or gateway; at the server facility 142; at distribution pointswithin the network, e.g., the hubs and routers 148; at the desktop ofclient facility computers; and the like. In embodiments, the mosteffective location for threat detection may be at the user's computerdesktop endpoint computer security facility 152.

The interface between the threat management facility 100 and theenterprise facility 102, and through the appliance facility 140 toembedded endpoint computer security facilities, may include a set oftools that may be the same for all enterprise implementations, but alloweach enterprise to implement different controls. In embodiments, thesecontrols may include both automatic actions and managed actions.Automatic actions may include downloads of the endpoint computersecurity facility 152 to components of the enterprise facility 102,downloads of updates to existing endpoint computer security facilitiesof the enterprise facility 102, uploaded network interaction requestsfrom enterprise facility 102 components to the threat managementfacility 100, and the like. In embodiments, automatic interactionsbetween the enterprise facility 102 and the threat management facility100 may be configured by the threat management facility 100 and anadministration facility 134 in the enterprise facility 102. Theadministration facility 134 may configure policy rules that determineinteractions, such as developing rules for accessing applications, as inwho is authorized and when applications may be used; establishing rulesfor ethical behavior and activities; rules governing the use ofentertainment software such as games, or personal use software such asIM and VoIP; rules for determining access to enterprise facility 102computing resources, including authentication, levels of access, riskassessment, and usage history tracking; rules for when an action is notallowed, such as whether an action is completely deigned or justmodified in its execution; and the like. The administration facility 134may also establish license management, which in turn may furtherdetermine interactions associated with a licensed application. Inembodiments, interactions between the threat management facility 100 andthe enterprise facility 102 may provide threat protection to theenterprise facility 102 by managing the flow of network data into andout of the enterprise facility 102 through automatic actions that may beconfigured by the threat management facility 100 or the administrationfacility 134.

Client facilities within the enterprise facility 102 may be connected tothe enterprise facility 102 network by way of wired network facilities148A or wireless network facilities 148B. Client facilities connected tothe enterprise facility 102 network via a wired facility 148A orwireless facility 148B may receive similar protection, as bothconnection types are ultimately connected to the same enterprisefacility 102 network, with the same endpoint computer security facility152, and the same threat protected enterprise facility 102 environment.Mobile wireless facility clients 144B-F, because of their ability toconnect to any wireless 148B,D network access point, may connect to theInternet 154 outside the enterprise facility 102, and therefore outsidethe threat-protected environment of the enterprise facility 102. In thisinstance, the mobile client facility (e.g., the clients 144 B-F), if notfor the presence of the endpoint computer security facility 152 mayexperience a malware attack or perform actions counter to enterprisefacility 102 established policies. In addition, there may be a pluralityof ways for the threat management facility 100 to protect theout-of-enterprise facility 102 mobile client facility (e.g., the clients144 D-F) that has an embedded endpoint computer security facility 152,such as by providing URI filtering in personal routers, using a webappliance as a DNS proxy, or the like. Mobile client facilities that arecomponents of the enterprise facility 102 but temporarily outsideconnectivity with the enterprise facility 102 network may be providedwith the same threat protection and policy control as client facilitiesinside the enterprise facility 102. In addition, mobile the clientfacilities may receive the same interactions to and from the threatmanagement facility 100 as client facilities inside the enterprisefacility 102, where the mobile client facilities may be considered avirtual extension of the enterprise facility 102, receiving all the sameservices via their embedded endpoint computer security facility 152.

Interactions between the threat management facility 100 and thecomponents of the enterprise facility 102, including mobile clientfacility extensions of the enterprise facility 102, may ultimately beconnected through the Internet 154. Threat management facility 100downloads and upgrades to the enterprise facility 102 may be passed fromthe firewalled networks of the threat management facility 100 through tothe endpoint computer security facility 152 equipped components of theenterprise facility 102. In turn the endpoint computer security facility152 components of the enterprise facility 102 may upload policy andaccess requests back across the Internet 154 and through to the threatmanagement facility 100. The Internet 154 however, is also the paththrough which threats may be transmitted from their source. Thesenetwork threats 104 may include threats from a plurality of sources,including without limitation, websites, e-mail, IM, VoIP, applicationsoftware, and the like. These threats may attempt to attack a mobileenterprise client facility (e.g., the clients 144B-F) equipped with anendpoint computer security facility 152, but in embodiments, as long asthe mobile client facility is embedded with an endpoint computersecurity facility 152, as described above, threats may have no bettersuccess than if the mobile client facility were inside the enterprisefacility 102.

However, if the mobile client facility were to attempt to connect intoan unprotected connection point, such as at a secondary location 108that is not a part of the enterprise facility 102, the mobile clientfacility may be required to request network interactions through thethreat management facility 100, where contacting the threat managementfacility 100 may be performed prior to any other network action. Inembodiments, the client facility's 144 endpoint computer securityfacility 152 may manage actions in unprotected network environments suchas when the client facility (e.g., client 144F) is in a secondarylocation 108 or connecting wirelessly to a non-enterprise facility 102wireless Internet connection, where the endpoint computer securityfacility 152 may dictate what actions are allowed, blocked, modified, orthe like. For instance, if the client facility's 144 endpoint computersecurity facility 152 is unable to establish a secured connection to thethreat management facility 100, the endpoint computer security facility152 may inform the user of such, and recommend that the connection notbe made. In the instance when the user chooses to connect despite therecommendation, the endpoint computer security facility 152 may performspecific actions during or after the unprotected connection is made,including running scans during the connection period, running scansafter the connection is terminated, storing interactions for subsequentthreat and policy evaluation, contacting the threat management facility100 upon first instance of a secured connection for further actions andor scanning, restricting access to network and local resources, or thelike. In embodiments, the endpoint computer security facility 152 mayperform specific actions to remediate possible threat incursions orpolicy violations during or after the unprotected connection.

The secondary location 108 may have no endpoint computer securityfacilities 152 as a part of its computer components, such as itsfirewalls 138B, servers 142B, clients 144G, hubs and routers 148C-D, andthe like. As a result, the computer components of the secondary location108 may be open to threat attacks, and become potential sources ofthreats, as well as any mobile enterprise facility clients 144B-F thatmay be connected to the secondary location's 108 network. In thisinstance, these computer components may now unknowingly spread a threatto other components connected to the network.

Some threats may not come directly from the Internet 154, such as fromnon-enterprise facility controlled mobile devices that are physicallybrought into the enterprise facility 102 and connected to the enterprisefacility 102 client facilities. The connection may be made from directconnection with the enterprise facility's 102 client facility, such asthrough a USB port, or in physical proximity with the enterprisefacility's 102 client facility such that a wireless facility connectioncan be established, such as through a Bluetooth connection. Thesephysical proximity threats 110 may be another mobile computing device, aportable memory storage device, a mobile communications device, or thelike, such as CDs and DVDs, memory sticks, flash drives, external harddrives, cell phones, PDAs, MP3 players, digital cameras, point-to-pointdevices, digital picture frames, digital pens, navigation devices,tablets, appliances, and the like. A physical proximity threat 110 mayhave been previously infiltrated by network threats while connected toan unprotected network connection outside the enterprise facility 102,and when connected to the enterprise facility 102 client facility, posea threat. Because of their mobile nature, physical proximity threats 110may infiltrate computing resources in any location, such as beingphysically brought into the enterprise facility 102 site, connected toan enterprise facility 102 client facility while that client facility ismobile, plugged into an unprotected client facility at a secondarylocation 108, and the like. A mobile device, once connected to anunprotected computer resource, may become a physical proximity threat110. In embodiments, the endpoint computer security facility 152 mayprovide enterprise facility 102 computing resources with threatprotection against physical proximity threats 110, for instance, throughscanning the device prior to allowing data transfers, through securityvalidation certificates, through establishing a safe zone within theenterprise facility 102 computing resource to transfer data into forevaluation, and the like.

Having provided an overall context for threat detection, the descriptionnow turns to a brief discussion of an example of a computer system thatmay be used for any of the entities and facilities described above.

FIG. 2 illustrates a computer system. In general, the computer system200 may include a computing device 210 connected to a network 202, e.g.,through an external device 204. The computing device 210 may be orinclude any type of network endpoint or endpoints as described herein,e.g., with reference to FIG. 1 above. For example, the computing device210 may include a desktop computer workstation. The computing device 210may also or instead be any device suitable for interacting with otherdevices over a network 202, such as a laptop computer, a desktopcomputer, a personal digital assistant, a tablet, a mobile phone, atelevision, a set top box, a wearable computer, and the like. Thecomputing device 210 may also or instead include a server such as any ofthe servers described herein.

The computing device 210 may be used for any of the entities describedin the threat management environment described above with reference toFIG. 1. For example, the computing device 210 may be part of or mayinclude a client an enterprise facility, a threat management facility,or any of the other facilities or computing devices described therein.In certain aspects, the computing device 210 may be implemented usinghardware or a combination of software and hardware. The computing device210 may be a standalone device, a device integrated into another entityor device, a platform distributed across multiple entities, or avirtualized device executing in a virtualization environment.

The network 202 may include any network described above, e.g., datanetwork(s) or internetwork(s) suitable for communicating data andcontrol information among participants in the computer system 200. Thismay include public networks such as the Internet, private networks, andtelecommunications networks such as the Public Switched TelephoneNetwork or cellular networks using third generation cellular technology(e.g., 3G or IMT-2000), fourth generation cellular technology (e.g., 4G,LTE. MT-Advanced, E-UTRA, etc.) or WiMax-Advanced (IEEE 802.16m)) and/orother technologies, as well as any of a variety of corporate area,metropolitan area, campus or other local area networks or enterprisenetworks, along with any switches, routers, hubs, gateways, and the likethat might be used to carry data among participants in the computersystem 200. The network 202 may also include a combination of datanetworks, and need not be limited to a strictly public or privatenetwork.

The external device 204 may be any computer or other remote resourcethat connects to the computing device 210 through the network 202. Thismay include threat management resources such as any of thosecontemplated above, gateways or other network devices, remote servers orthe like containing content requested by the computing device 210, anetwork storage device or resource, a device hosting malicious content,or any other resource or device that might connect to the computingdevice 210 through the network 202.

In general, the computing device 210 may include a processor 212, amemory 214, a network interface 216, a data store 218, and one or moreinput/output interfaces 220. The computing device 210 may furtherinclude or be in communication with peripherals 222 and other externalinput/output devices that might connect to the input/output interfaces220.

The processor 212 may be any processor or other processing circuitrycapable of processing instructions for execution within the computingdevice 210 or computer system 200. The processor 212 may include asingle-threaded processor, a multi-threaded processor, a multi-coreprocessor and so forth. The processor 212 may be capable of processinginstructions stored in the memory 214 or the data store 218.

The memory 214 may store information within the computing device 210.The memory 214 may include any volatile or non-volatile memory or othercomputer-readable medium, including without limitation a Random-AccessMemory (RAM), a flash memory, a Read Only Memory (ROM), a ProgrammableRead-only Memory (PROM), an Erasable PROM (EPROM), registers, and soforth. The memory 214 may store program instructions, program data,executables, and other software and data useful for controllingoperation of the computing device 210 and configuring the computingdevice 210 to perform functions for a user. The memory 214 may include anumber of different stages and types of memory for different aspects ofoperation of the computing device 210. For example, a processor mayinclude on-board memory and/or cache for faster access to certain dataor instructions, and a separate, main memory or the like may be includedto expand memory capacity as desired. All such memory types may be apart of the memory 214 as contemplated herein.

The memory 214 may, in general, include a non-volatile computer readablemedium containing computer code that, when executed by the computingdevice 210 creates an execution environment for a computer program inquestion, e.g., code that constitutes processor firmware, a protocolstack, a database management system, an operating system, or acombination of the foregoing, and that performs some or all of the stepsset forth in the various flow charts and other algorithmic descriptionsset forth herein. While a single memory 214 is depicted, it will beunderstood that any number of memories may be usefully incorporated intothe computing device 210. For example, a first memory may providenon-volatile storage such as a disk drive for permanent or long-termstorage of files and code even when the computing device 210 is powereddown. A second memory such as a random-access memory may providevolatile (but higher speed) memory for storing instructions and data forexecuting processes. A third memory may be used to improve performanceby providing higher speed memory physically adjacent to the processor212 for registers, caching and so forth.

The network interface 216 may include any hardware and/or software forconnecting the computing device 210 in a communicating relationship withother resources through the network 202. This may include remoteresources accessible through the Internet, as well as local resourcesavailable using short range communications protocols using, e.g.,physical connections (e.g., Ethernet), radio frequency communications(e.g., WiFi), optical communications, (e.g., fiber optics, infrared, orthe like), ultrasonic communications, or any combination of these orother media that might be used to carry data between the computingdevice 210 and other devices. The network interface 216 may, forexample, include a router, a modem, a network card, an infraredtransceiver, a radio frequency (RF) transceiver, a near fieldcommunications interface, a radio-frequency identification (RFID) tagreader, or any other data reading or writing resource or the like.

More generally, the network interface 216 may include any combination ofhardware and software suitable for coupling the components of thecomputing device 210 to other computing or communications resources. Byway of example and not limitation, this may include electronics for awired or wireless Ethernet connection operating according to the IEEE802.11 standard (or any variation thereof), or any other short or longrange wireless networking components or the like. This may includehardware for short range data communications such as Bluetooth or aninfrared transceiver, which may be used to couple to other localdevices, or to connect to a local area network or the like that is inturn coupled to a data network 202 such as the Internet. This may alsoor instead include hardware/software for a WiMax connection or acellular network connection (using, e.g., CDMA, GSM, LTE, or any othersuitable protocol or combination of protocols). The network interface216 may be included as part of the input/output devices 220 orvice-versa.

The data store 218 may be any internal memory store providing acomputer-readable medium such as a disk drive, an optical drive, amagnetic drive, a flash drive, or other device capable of providing massstorage for the computing device 210. The data store 218 may storecomputer readable instructions, data structures, program modules, andother data for the computing device 210 or computer system 200 in anon-volatile form for subsequent retrieval and use. For example, thedata store 218 may store without limitation one or more of the operatingsystem, application programs, program data, databases, files, and otherprogram modules or other software objects and the like.

The input/output interface 220 may support input from and output toother devices that might couple to the computing device 210. This may,for example, include serial ports (e.g., RS-232 ports), universal serialbus (USB) ports, optical ports, Ethernet ports, telephone ports, audiojacks, component audio/video inputs, HDMI ports, and so forth, any ofwhich might be used to form wired connections to other local devices.This may also or instead include an infrared interface, RF interface,magnetic card reader, or other input/output system for coupling in acommunicating relationship with other local devices. It will beunderstood that, while the network interface 216 for networkcommunications is described separately from the input/output interface220 for local device communications, these two interfaces may be thesame, or may share functionality, such as where a USB port is used toattach to a WiFi accessory, or where an Ethernet connection is used tocouple to a local network attached storage.

A peripheral 222 may include any device used to provide information toor receive information from the computing device 200. This may includehuman input/output (I/O) devices such as a keyboard, a mouse, a mousepad, a track ball, a joystick, a microphone, a foot pedal, a camera, atouch screen, a scanner, or other device that might be employed by theuser 230 to provide input to the computing device 210. This may also orinstead include a display, a speaker, a printer, a projector, a headsetor any other audiovisual device for presenting information to a user.The peripheral 222 may also or instead include a digital signalprocessing device, an actuator, or other device to support control orcommunication to other devices or components. Other I/O devices suitablefor use as a peripheral 222 include haptic devices, three-dimensionalrendering systems, augmented-reality displays, and so forth. In oneaspect, the peripheral 222 may serve as the network interface 216, suchas with a USB device configured to provide communications via shortrange (e.g., BlueTooth, WiFi, Infrared, RF, or the like) or long range(e.g., cellular data or WiMax) communications protocols. In anotheraspect, the peripheral 222 may provide a device to augment operation ofthe computing device 210, such as a global positioning system (GPS)device, a security dongle, or the like. In another aspect, theperipheral may be a storage device such as a flash card, USB drive, orother solid state device, or an optical drive, a magnetic drive, a diskdrive, or other device or combination of devices suitable for bulkstorage. More generally, any device or combination of devices suitablefor use with the computing device 200 may be used as a peripheral 222 ascontemplated herein.

Other hardware 226 may be incorporated into the computing device 200such as a co-processor, a digital signal processing system, a mathco-processor, a graphics engine, a video driver, and so forth. The otherhardware 226 may also or instead include expanded input/output ports,extra memory, additional drives (e.g., a DVD drive or other accessory),and so forth.

A bus 232 or combination of busses may serve as an electromechanicalplatform for interconnecting components of the computing device 200 suchas the processor 212, memory 214, network interface 216, other hardware226, data store 218, and input/output interface. As shown in the figure,each of the components of the computing device 210 may be interconnectedusing a system bus 232 or other communication mechanism forcommunicating information.

Methods and systems described herein may be realized using the processor212 of the computer system 200 to execute one or more sequences ofinstructions contained in the memory 214 to perform predetermined tasks.In embodiments, the computing device 200 may be deployed as a number ofparallel processors synchronized to execute code together for improvedperformance, or the computing device 200 may be realized in avirtualized environment where software on a hypervisor or othervirtualization management facility emulates components of the computingdevice 200 as appropriate to reproduce some or all of the functions of ahardware instantiation of the computing device 200.

Described herein are techniques for forensic analysis of computerprocesses. These forensic analysis techniques may use any of thecomponents or systems described with reference to the figures above. Forexample, the techniques for forensic analysis for computer processes maybe implemented by the threat management facility 100 described withreference to FIG. 1, e.g., for one or more endpoints included on anenterprise facility 102. Also, the forensic analysis techniques mayutilize any of the features of the threat management facility 100described with reference to FIG. 1, e.g., the detection techniques 130.The techniques for forensic analysis for computer processes may also orinstead be used for a computing device 210 as described with referenceto FIG. 2 above.

Forensic analysis for computer processes may include a root causeanalysis—e.g., determining and analyzing an origin or root cause of apiece of malware. Techniques may include monitoring activity for one ormore endpoints and recording the activity in a data recorder or thelike. The data recorder may include a database or data store. The datarecorder may act as a rolling buffer, e.g., storing a large amount ofdata for predetermined time windows before overwriting old data with newdata. The data recorder may collect information about device activity,such as file creations, process creations, registry changes, memoryinjections, and so forth. In an aspect, when a beacon or trigger eventis detected (e.g., an event pertinent to computer or network security),information from the data recorder may be analyzed (e.g., starting atthe trigger event) to determine a root cause and to determine affectedcomputing objects. Existing compromise detection techniques such as hostintrusion prevention, malicious traffic detection, uniform resourcelocator (URL) blocking, file-based detection, and so on, may be used todetect the beacon or trigger event. In this manner, techniques forforensic analysis for computer processes may be combined with othermalware and compromise prevention, detection, analysis, and remediationtechniques such as any as described herein. An event graph may begenerated showing connected events that are causally related to thedetected event, e.g., based on one or more rules. Based on an analysisof these causally related events, the root cause of a detected event canbe determined, and affected events going forward from the root cause cansimilarly be identified.

FIG. 3 illustrates a system for forensic analysis for computerprocesses. The system 300 may include an endpoint 310 containing a datarecorder 320, a monitoring facility 330, and any number of objects 312and events 314. An analysis facility 340 may be coupled in acommunicating relationship with the endpoint 310 over a data network 350such as any of the networks described above. It will be appreciatedthat, while illustrated as components of the endpoint 310, certaincomponents of the system 300 such as the data recorder 320 and themonitoring facility 330 and the analysis facility may also or instead berealized as remote services instantiated on a virtual appliance, apublic or private cloud, or the like, any of which may be coupled to theendpoint 310 through the data network 350 or another communicationchannel (not shown). Each of the components of the system 300 may beconfigured with suitable programming and configuration to participate inthe various forensic techniques, threat detection techniques, andsecurity management techniques contemplated herein.

The endpoint 310 may be any of the endpoints described herein, e.g., acomputing device in an enterprise network, or any other device ornetwork asset that might join or participate in an enterprise orotherwise operate on an enterprise network. This may, for example,include a server, a client device such as a desktop computer or a mobilecomputing device (e.g., a laptop computer or a tablet), a cellularphone, a smart phone, or other computing device suitable forparticipating in the system 300 or in an enterprise.

In general, the endpoint 310 may include any number of computing objects312, which may for example, be processes executed by one or moreprocessors or other processing circuitry, files or data stored inmemory, or any other computing objects described herein. While the termobject has a number of specific meanings in the art, and in particularin object-oriented programming, it will be understood that the term‘object’ as used herein is intended to be significantly broader, and mayinclude any data, process, file or combination of these includingwithout limitation any process, application, executable, script, dynamiclinked library (DLL), file, data, database, data source, data structure,function, resource locator (e.g., uniform resource locator (URL) orother uniform resource identifier (URI)), or the like that might beresident on the endpoint 310 and manipulated by the endpoint 310 oranother component of the system 300 or other systems described elsewhereherein. The object 312 may also or instead include a remote resource,such as a resource identified in a URL. That is, while the object 312 inthe figure is depicted as residing on the endpoint 310, an object 312may also reside elsewhere in the system 300, and may be specified forexample with a link, pointer, or reference that is locally stored on theendpoint 310.

The object 312 may be an item that is performing an action or causing anevent 314, or the object 312 may be an item that is receiving the actionor is the result of an event 314 (e.g., the object 312 may be an item inthe system 300 being acted upon by an event 314 or another object 312).In general, an event 314 as contemplated herein may be any data flow,execution flow, control flow, network flow, or other similar action orevent that might causally relate objects 312 to one another. Where theobject 312 is data or includes data, the object 312 may be encrypted orotherwise protected, or the object 312 may be unencrypted or otherwiseunprotected. The object 312 may be a process or other computing objectthat performs an action, which may include a single event 314 or acollection or sequence of events 314 taken by a process. The object 312may also or instead include an item such as a file or lines of code thatare executable to perform such actions. The object 312 may also orinstead include a computing component upon which an action is taken,e.g., a system setting (e.g., a registry key or the like), a data file,a URL, and so forth. The object 312 may exhibit a behavior such as aninteraction with another object or a component of the system 300.

Objects 312 may be described in terms of persistence. The object 312may, for example, be a part of a process, and remain persistent as longas that process is alive. The object 312 may instead be persistentacross an endpoint 310 and remain persistent as long as an endpoint 310is active or alive. The object 312 may instead be a global object havingpersistence outside of an endpoint 310, such as a URL or a data store.In other words, the object 312 may be a persistent object withpersistence outside of the endpoint 310.

Although many if not most objects 312 will typically be benign objectsforming a normal part of the computing environment for an operatingendpoint 310, an object 312 may contain software associated with anadvanced persistent threat (APT) or other malware that resides partiallyor entirely on the endpoint 310. This associated software may havereached the endpoint 310 in a variety of ways, and may have been placedmanually or automatically on the endpoint 310 by a malicious source. Itwill be understood that the associated software may take any number offorms and have any number of components. For example, the associatedsoftware may include an executable file that can execute independently,or the associated software may be a macro, plug-in, or the like thatexecutes within another application. Similarly, the associated softwaremay manifest as one or more processes or threads executing on theendpoint 310. Further, the associated software may install from a fileon the endpoint 310 (or a file remote from the endpoint 310), and theassociated software may create one or more files such as data files orthe like while executing. Associated software should be understood togenerally include all such files and processes except where a specificfile or process is more specifically noted.

An event 314 may include an action, a behavior, an interaction, and soforth. The event 314 may be generated by or otherwise related to anobject 312. For example, the event 314 may be associated with a file andinclude an action such as a read, a write, an open, a move, a copy, adelete, and so forth. The event 314 may also or instead include aninter-process communication, e.g., a create, a handle, a debug, a remoteinjection, and so forth. The event 314 may also or instead include anetwork action such as accessing an Internet Protocol (IP) address orURL.

The data recorder 320 may monitor and record activity related to theobjects 312 and events 314 occurring on the endpoint 310. The activityof the endpoint 310 may be stored in a data log 322 or the like on thedata recorder 320, which may be stored locally on the endpoint 310 (asdepicted) or remotely at a threat management resource, or somecombination of these, such as where the data log 322 is periodicallytransmitted to a remote facility for archiving or analysis. The datarecorder 320 may continuously record any activity occurring on theendpoint 310 for predetermined periods of time before overwritingpreviously recorded data. Thus, the data log 322 may include acontinuous data feed of events 314. When an event 314 is detected thatis a beacon or trigger event (such as a file detection, a malicioustraffic detection, or the like), the data log 322 may be saved andtransmitted to an analysis facility 340 or the like for analysis, e.g.,to determine a root cause of the beacon or trigger event. The data log322 may be used to create an event graph or other snapshot of theactivity on the endpoint 310, e.g., for a period of time surrounding abeacon or trigger event. The beacon or trigger event may be detectedlocally by the monitoring facility 330, or remotely by a remote threatmanagement facility or the like, or some combination of these.

While illustrated on the endpoint 310, it will be understood that thedata recorder 320 may also or instead be implemented at a remotelocation such as a threat management facility or other enterprisenetwork security resource, or some combination of these. The datarecorder 320 may be provisioned on the same or a different device than adata store in which data is stored. The data recorder 320 may beconfigured to record data as efficiently as possible so as to minimizeimpact on the endpoint 310.

The monitoring facility 330 may work in conjunction with the datarecorder 320 to instrument the endpoint 310 so that any observableevents 314 by or involving various objects 312 can be monitored andrecorded. It will be appreciated that various filtering rules andtechniques may be used to synopsize, summarize, filter, compress orotherwise process information captured by the data recorder 320 to helpensure that relevant information is captured while maintaining practicallimits on the amount of information that is gathered.

A security product 332 may execute on the endpoint 310 to detect asecurity event on the endpoint 310, which may act as the beacon ortrigger event for the system 300. The security product 332 may usetechniques such as signature-based and behavioral-based malwaredetection including without limitation one or more of host intrusionprevention, malicious traffic detection, URL blocking, file-baseddetection, and so forth.

The beacon or trigger event on the endpoint 310 may be a fully qualified(e.g., definitive) detection of a compromise or other maliciousactivity. In another aspect, the beacon or trigger event on the endpoint310 may be a suspicious behavior that is suspicious but not confirmed asmalicious. For example, the beacon or trigger event on the endpoint 310may signal an unusual behavior that is known to commonly appearconcurrently with the detection of malware. In an aspect, when thebeacon or trigger event is a suspicious behavior, the data log 322 maybe analyzed differently than when the beacon or trigger event is aconfirmed malicious behavior. For example, the data log 322 may be sentto a different component of the system 300 through the network, e.g., toa different analysis facility 340.

The monitoring facility 330 may be disposed remotely from the endpoint310 or analysis facility 340. The monitoring facility 330 may beincluded on one or more of the endpoint 310 or analysis facility 340. Inan aspect, the monitoring facility 330 and the analysis facility 340included in the same component.

The analysis facility 340 may analyze the data log 322, e.g., as part ofa root cause analysis and to identify objects 312 compromised by theroot cause. To this end, the analysis facility 340 may utilize one ormore rules 342 for applying to the data included in the data log 322 todetermine a root cause of a beacon or trigger event such as a suspectedor actual security compromise on the endpoint 310. The analysis facility340 may reside locally on the endpoint 310 (e.g., be a part of, embeddedwithin, or locally coupled to the endpoint 310). The analysis facility340 may be an external facility, or it may reside in a virtual appliance(e.g., which could be run by a protected set of systems on their ownnetwork systems), a private cloud, a public cloud, and so forth. Theanalysis facility 340 may store locally-derived threat information foruse in subsequent identification, remediation, or other similaractivity. The analysis facility 340 may also or instead receive threatinformation from a third-party source such as any public, private,educational, or other organization that gathers information on networkthreats and provides analysis and threat detection information for useby others. This third-party information may, for example, be used toimprove detection rules or other forensic analysis that might beperformed on information in the data log 322.

The analysis facility 340 may create an event graph. In general, theevent graph may represent information in the data log 322 in a graphwhere objects 312 are nodes and events 314 are edges connecting thenodes to one another based on causal or other relationships as generallycontemplated herein. The event graph may be used by the analysisfacility 340 or other component(s) of the system 300 as part of a rootcause analysis and to identify objects 312 compromised by the rootcause. The event graph may also or instead be displayed to a user of thesystem 300 or endpoint 310, e.g., using an interactive user interface orthe like.

The system 300 may advantageously use the data log 322 to configure andinitialize an analysis in a sandboxed or otherwise isolated environmentwhere the execution of the recorded activity related to a detectedsecurity event is allowed to run. That is, rather than uploading acomplete image of an endpoint 310 using conventional techniques, thedata log 322 may include only a series of events/processes related tothe detected event that may be uploaded for execution/analysis. Theanalysis may thus include executing this series of events/processes inthe same order to determine a threat level for the endpoint 310.

The data log 322 may include data from a single endpoint 310, or from anumber of endpoints 310, for example where one endpoint 310 accesses aservice or a file on another endpoint. This advantageously facilitatestracking or detection of potentially malicious activity that spansmultiple devices, particularly where the behavior on a single endpointdoes not appear malicious. Thus, the monitoring facility 330 may monitoractivity from an endpoint 310 exclusively, or use the full context ofactivity from all protected endpoints 310, or some combination of these.Similarly, the event graph generated from the data log 322 may includeactivity from one endpoint 310 exclusively, or use the full context ofactivity from all protected endpoints 310, or some combination of these.Data logs 322 and event graphs may also or instead be stored for futureanalyses, e.g., for comparing to future data logs and event graphs.

Similarly, the events may include human interactions such as keyboardstrokes, mouse clicks or other input and output to human interfacedevices and hardware. This usefully permits discrimination within causalchains among events initiated by processes executing on a device andevents that are initiated or controlled by a human user that is presenton the endpoint.

FIG. 4 is a flowchart of a method for forensic analysis for computerprocesses. The method 400 may be implemented by any of the systemsdescribed above or otherwise herein. The method 400 may be used as partof a root cause analysis, e.g., for determining a root cause of malwareon an endpoint, and for identifying computing objects affected bymalware, e.g., computing objects causally related to the root cause.

As shown in step 402, the method 400 may include monitoring events on adevice, such as a first endpoint. The events may be any as describedherein, e.g., events associated with computing objects on the endpoint.The computing objects may, for example include a data file, a process,an application, a registry entry, a network address, a peripheraldevice, or any of the other computing objects described herein. Forexample, in an aspect, the computing objects may include one or morenetwork addresses specified at any suitable level of abstraction oraccording to any suitable protocol such as a uniform resource locator(URL), an Internet Protocol (IP) address, and a domain name, and mayinclude any or a portion of associated path information or the like thatmight be associated therewith. The computing objects may also or insteadinclude a peripheral device such as a universal serial bus (USB) memory,a camera, a printer, a memory card, a removable bulk storage device, akeyboard, a mouse, a track pad, a printer, a scanner, a cellular phone,or any other input or output device that might usefully be connected toan endpoint, a server, a mobile device, and so forth. Events may includeinformation or messages from a threat management facility, firewall,network device, and so on, for example, that may be resident on or incommunication with an endpoint. For example, a threat managementfacility may identify a potential or actual threat, and this may betreated as an event.

In an aspect, monitoring events on a first endpoint may includeinstrumenting a first endpoint to monitor a number of causalrelationships among a number of computing objects. For example, amonitoring facility or other monitoring component (e.g., a componentdisposed on the first endpoint or otherwise in communication with thefirst endpoint), may be configured to detect computing objects and tomonitor events on the first endpoint that associate the computingobjects in a number of causal relationships. Thus, a processor and amemory disposed on the endpoint may be configured to monitor events onthe endpoint. A remote server may also or instead be configured tomonitor events on the endpoint, for example, to create a data log ascontemplated herein.

Implementations may also or instead include monitoring events onmultiple endpoints, e.g., endpoints included in an enterprise network orthe like. Thus, in an aspect, the one or more computing objects includeat least one or more computing object(s) on a device other than thefirst endpoint, such as a second endpoint in the enterprise network. Thedevice may also or instead include a server configured to provide remoteresources to other endpoints, network devices, firewalls, gateways,routers, wireless access points, mobile devices, and so forth.

The causal relationships monitored by the system may includedependencies that form a link or an association between computingobjects or events. Useful causal relationships may include a data flow,e.g., linking computing objects based on the flow of data from onecomputing object to another computing object. The causal relationshipsmay also or instead include a control flow. For example, a firstcomputer program may generate a first event that triggers a secondcomputer program to trigger a second event, thereby creating a causalrelationship between the first computer program and the second computerprogram (and possibly a causal relationship between the first event andthe second event). In yet another aspect, the causal relationships mayinclude a network flow. For example, a computing object may access a URLor other remote resource or location and receive data. In this example,there may be a causal relationship between one or more of the computingobject, the URL, and the data. It will be understood that the term“causal relationship” and the like is intended to cover a wide range ofrelationships between computing objects that might be formed by events,and unless explicitly stated to the contrary or otherwise clear from thetext, the causal relationships may include anything that can link orassociate multiple computing objects (of the same type or differenttypes), e.g., in a directional manner, directly or indirectly.

As shown in step 404, the method 400 may include recording events suchas any of the events described above that occur on the endpoint. Thus,each event detected during monitoring may be recorded, e.g., by a datarecorder or other component, to provide a data log including a sequenceof events causally relating the number of computing objects. Asdescribed above, the data recorder may be configured to record eventsthat occur on the endpoint, or events that occur on a plurality ofendpoints. The data recorder may be locally disposed on the endpoint orotherwise in communication with the endpoint. The data recorder may alsoor instead be associated with a monitoring facility or an analysisfacility such as any of those described above. The data recorder mayrecord a sequence of events causally relating a number of computingobjects on one or more endpoints in a data log or the like disposed in amemory.

A number of events within the sequence of events may be preserved for apredetermined time window. For example, in an aspect, a data recorder orthe like may record all activity on an endpoint in a rolling buffer thatoverwrites data that is older than the predetermined time window. Thismay be true regardless of the types of computing objects associated withthe sequence of events. In another aspect, the predetermined time windowmay have a different duration for different types of computing objects(e.g., for at least two types of computing objects). By way of example,when the computing objects include one or more network addresses, thesequence of events may be preserved for a longer predetermined timewindow relative to a sequence of events associated with data files, orvice-versa. Similarly, when the computing objects include one or moreperipheral devices such as USB memories, the sequence of events may bepreserved for longer predetermined time window relative to a sequence ofevents associated with applications, or vice-versa. In implementations,the predetermined time window for which the sequence of events ispreserved may be based on the likelihood of a security event originatingfrom a certain type of computing object. For example, the reputation ofa computing object (e.g., an application) or a machine state may be usedfor determining the duration of the predetermined time window for whichthe sequence of events is preserved. Further, the predetermined timewindow for which the sequence of events is preserved may be determinedby a color of a computing object or event, e.g., as described in U.S.patent application Ser. No. 14/485,759 filed on Sep. 14, 2014, which isincorporated by reference herein in its entirety. In an aspect, the timewindow for which the sequence of events is preserved may be variable oradjustable. For example, a user or administrator using a user interfaceor the like may adjust the time window for which the sequence of eventsis preserved, e.g., based on computing object type or otherwise. Forexample, one or more first event types may be recorded with a first timewindow and one or more second event types may be recorded with a secondtime window.

In an aspect, the data recorder or the like may record only certainactivity on an endpoint, e.g., activity associated with predeterminedcomputing objects. The activity may be preserved for a predeterminedamount of time dependent upon the specific computing object to which theactivity is associated. In this manner, and by way of example, the datarecorder or the like may include a record of data for one week forapplications, for three months for files, for two weeks for registryentries, and so forth. It will be understood that these timeframes areprovided by way of example and not of limitation.

In general, data may be continuously recorded, periodically recorded, orsome combination of these. Furthermore, data may be cached, stored,deleted or transmitted to a remote processing facility in any suitablemanner consistent with appropriate use of local and remote resources,and the utility or potential utility of information that is beingrecorded. In one aspect, data may be periodically deleted or otherwiseremoved from the data recorder, such as after a security event has beendetected and addressed as described below. A new data log may then becreated for recording subsequent events on the one or more endpoints.

As shown in step 406, the method 400 may include evaluating one or moreevents that occur on the endpoint. The evaluation of the one or moreevents may include the application of one or more security rules todetermine whether the one or more events indicate or suggest a securityevent such as a security compromise event, a data exposure, a malwaredetection, or the like. Thus, the evaluation of the one or more eventsmay lead to the detection of a security event. While illustrated as aseparate step, this step 406 may be performed concurrently with or insequence with the monitoring step 402 discussed above.

The security event may be any beacon or trigger event, such as any ofthose discussed herein. The security event may include an event that isrelated to network security, computer security, data security, dataleakage, data exposure, or any other actual or potential security issue.The security event may also or instead include other events of interestthat are not directly related to computer/network security where, forexample, they are useful for otherwise auditing or monitoring machinesor characterizing device behavior. Thus, the security event may be anyevent general related to operation of a computer, and does notnecessarily include an actual security compromise event. However, inimplementations, the security event may include an actual compromise toa network, an endpoint, or a computer system such as the detection ofmalware or any other threat detection. For example, the security eventmay be a security compromise event related to a specific threat, e.g.,an event related to computer-based malware including without limitationa virus, spyware, adware, a Trojan, an intrusion, an advanced persistentthreat, spam, a policy abuse, an uncontrolled access, and so forth.

Detecting the security event may include detecting a security compromiseby applying a static analysis to software objects on the first endpoint.For example, each software object may be individually analyzed for itscompliance with a security policy or the like using signatures or otherobjective characteristics. It will be understood that while staticanalysis provides one useful form of evaluation for compliance with thesecurity policy or the like, other techniques may also or instead beemployed, e.g., a behavioral analysis, a sandbox execution, networktraffic analysis, and so forth.

Detecting the security event may also or instead include detecting asecurity compromise by applying dynamic or behavioral analysis to codeexecuting on the first endpoint, or to specific computing objects (e.g.,processes) on the endpoint. For example, events that can warranttriggering the detection of the security event may include a processthat loads a particular file that is known to be malicious, or a processthat accesses a known malicious IP address, and the like.

In an aspect, detecting the security event may include detecting ahardware change or other state changes. Detecting the security event mayalso or instead include detecting a potential data leakage.

As discussed herein, a security policy may be used to detect a securityevent. This may include, for example, whitelists or blacklists of knowncomputing objects and events, or reputations and signatures thereof. Forexample, a security policy may include rules that allow computingobjects and events that are provided by a known, trusted source (e.g., atrusted user, endpoint, network, company, vendor, and so forth). Therules may be more complex, for example, where originating from a trustedsource is only one factor in determining whether to whitelist computingobjects and events. In general, the security policy may include anysuitable rules, logic, prioritizing, etc., as desired to detect asecurity event.

Although referred to herein in terms of ‘security,’ one skilled in theart will recognize that a security policy may also or instead includeother types of policies. For example, a security policy may include acorporate or network policy having a list of approved computing objectsand events, where computing objects and events outside of this list maynot necessarily be security risks, but are otherwise unwanted in thenetwork. Thus, the security policy may intend to detect malware and thelike, while also detecting other types of unwanted computing objects andevents that do not qualify as malware.

More generally, any technique or combination of techniques suitable forevaluating endpoint activity for the detection of actual or potentialsecurity compromises may be used to detect security events ascontemplated herein.

As shown in step 408, if a security event is not detected, the method400 may return to step 402 where monitoring can continue. As furthershown in step 408, if a security event is detected, a root causeanalysis or the like may be performed to identify a source of thesecurity event as further described below. That is, detecting a securityevent associated with one of the number of computing objects may triggerfurther analysis of other causally related computing objects on anendpoint (or in certain cases, remote from an endpoint) to identify acause of the security event, as distinguished from the symptom thatgenerated the beacon or trigger for the analysis.

As shown in step 410, the method 400 may include generating an eventgraph. The event graph may be generated in response to detecting thesecurity event, e.g., using the data log from the data recorder. Theevent graph may be generated at the same time as or as part of creatingthe data log. The event graph may include the sequence of eventscausally relating the number of computing objects, and morespecifically, the sequence of events and computer objects causallyassociated with the object(s) that triggered the detected securityevent.

As discussed herein, the event graph may be generated based on a datalog of events and computer objects stored by a data recorder duringoperation of the endpoint. In particular, the data recorder may providea dump of logged activities, which may be causally associated into agraph for analysis, navigation, display and so forth. Any useful portionof the data log may be used. For example, the data recorder may provideevent data for a window of time before, after or surrounding thedetected security event. The data log may be filtered, e.g., when thedata is written to the data log (for example, by aging events asdescribed above) or when the event graph is generated, or somecombination of these. A variety of filtering techniques may be usefullyemployed. For example, certain types of objects or events may be removedfrom an event graph for specific trigger events, or certain groups ofevents may be condensed into a single event, such as all normal activitythat occurs when a user logs into an endpoint. Similarly, computingobjects that are too remote, either within the event graph or timewise,may be pruned and removed, particularly if they have a known, lowdiagnostic significance. Thus, the event graph may be filtered andcondensed in a variety of manners to obtain a useful snapshot of eventsoptimized for root cause analytics. Filtering of the data may bedependent upon the type of security event that is detected. Filtering ofthe data may adjust the level of detail included in the event graphbased on memory limits, user parameters, security event type, or anyother object metrics or inputs. In an aspect, the data is filtered basedon reputation or the like, e.g., of computing objects included therein.For example, if an application has a good reputation, the applicationmay not include a high level of detail associated therewith in afiltered version of the data log.

In one aspect, the event graph may be generated based on a data log froma number of different endpoints and thus may represent a causal chain ofdata from various different endpoints. This approach advantageouslypermits an analysis using data that spans multiple endpoints or othernetwork devices within a single data structure or package, thuspermitting identification of a root cause even when an attack employs acomplex, multi-hop approach to network assets that might otherwise evadedetection. Event graphs may also or instead be generated separately fordifferent endpoints and presented to a user or analytical system asseparate, discrete entities. Event graphs for endpoints may be comparedwith one another, e.g., as part of the root cause analysis. For example,by analyzing and comparing similar event graphs or event graphs sharingsimilar computing objects or events, a heuristic approach may bedeveloped for identifying suspicious events and computing objects forone or more endpoints. Similarly, event graphs for different endpointsin the same network enterprise may be compared or combined, e.g., wheretwo or more endpoints have been exposed to a security event or threat.For example, event graphs for similar time periods of two or moreendpoints may be ascertained and analyzed.

In an aspect, cross-correlating between different data logs or eventgraphs may be utilized in a root cause analysis. For example, if thesame security event or root cause is identified on different endpoints,the endpoints may be flagged for review or remediation. This type ofanalysis may be used on different endpoints throughout a network.

Implementations may include a number of different event graphs stored ina data store that can be used together to detect, prevent, or determinethe root causes for suspicious activity or other activity of interest,e.g., a security event. As discussed herein, the event graphs may befiltered before being stored in the data store, which can remove systemactivity that is not of interest in such analyses. The event graphs maybe searchable, e.g., for analysis of event graphs including similarcomputing objects or events. The event graphs may also or instead belinked to one another, e.g., event graphs including similar computingobjects or events. The event graphs may be presented to a user on a userinterface or the like, e.g., an interactive user interface that allows auser to see similar or related event graphs, search the event graphs,link between event graphs, and so forth.

An event graph may use a conventional structure of nodes (computingobjects) and events (edges) to represent causal relationships amongcomputing objects. This permits the use of a wide range of graph-basedtechniques to assist in analysis of the context leading up to a detectedevent. At the same time, numerous other data structures, computerrepresentations, and visual representations of such interrelated objectsand events are also known in the art, any of which may be employed as anevent graph as contemplated herein, provided that enough descriptivedata about the context of an endpoint is captured to facilitate thevarious types of analysis and response contemplated herein.

As shown in step 412, the method 400 may include, in response todetecting the security event, traversing the event graph based on thesequence of events in a reverse order from the one of the computingobjects associated with the security event to one or more preceding onesof the computing objects. In general, the reverse order is a causallyreverse order. For example, where a network flow, data flow or controlflow has a direction from one computing object to another computingobject, the reverse order will follow this flow or causal link from thereceiving computing object backward toward the source computing object.However, this may also or instead include a chronological flow, such asin a complex event graph where the time of receipt for two differentinputs from two different sources is relevant. In general, a review ofeach of the preceding computing objects may be conducted by workingbackward from the computing object associated with the security event,e.g., to determine a root cause of the security event. In an aspect,this may include a static analysis of each of the preceding computingobjects, or a dynamic analysis of object and event interactions, or somecombination of these.

As shown in step 414, the method 400 may include applying one or morerules to the computing objects preceding the security event. Forexample, the method 400 may include applying a cause identification ruleto the preceding ones of the computing objects and the causalrelationships while traversing the event graph in order to identify oneof the computing objects as a cause of the security event. In general,the root cause analysis may attempt to identify a pattern in the eventgraph using cause identification rules to identify one of the computingobjects (or a group of the computing objects and events) as a root causeof the security event.

The cause identification rule may associate the cause with one or morecommon malware entry points. For example, common entry points include aword processing application, an electronic mail application, aspreadsheet application, a browser, or a universal serial bus (USB)drive that is attached to an endpoint, and any of these computingobjects, when encountered in an event graph, may be identified as a rootcause. For example, when traversing the event graph in a reverse orderfrom the security event, if the analysis identifies an electronic mailapplication that opened an attachment, this may be identified as theroot cause because this is often a source of compromised security on anendpoint. Similarly, when traversing the event graph in a reverse orderfrom the security event, if the analysis identifies a USB drive, or anunsecure or unencrypted USB drive, from which a file was opened, thismay be identified as a likely cause of the security event. In oneaspect, multiple candidate root causes may be identified using the causeidentification rules, and a final selection may be based on othercontextual information such as reputation, source, etc.

Security events may also or instead be caused by a certain combinationof events or combinations of events and computing objects. For example,in an aspect, the cause identification rule may associate the cause ofthe security event with a combination that includes a first processinvoking a second process and providing data to the second process. Asused herein, invoking may be interpreted broadly, e.g., where any twoprocesses share data through an intermediate file, or narrowly, e.g.,where a first process specifically spawns the second process as a childprocess. More generally, invoking a process as used herein is intendedto broadly include any causal relationship between to processesincluding, e.g., spawning a process, hijacking a process (e.g., seizingcontrol of an existing process through thread injection, processhollowing, and the like), remotely launching a process over a network,instrumenting a service in the operating system, and the like. A causeidentification rule may specify a particular type of invocationrelationship between two processes, or multiple types of invocation, orany relationship between two processes. Providing data from a firstprocess to a second process may include creating a file for use by thesecond process. For example, the cause of a security event may include afirst process that writes a file and then takes control of a secondprocess that reads data from the file so that the first process and thesecond process share data through the file.

Another example of a security event may include a known non-maliciousapplication (e.g., a commonplace word processing application) launchinga command line script, which may be identified as a cause of a securityevent. The activity underlying events that are generated may notnecessarily be malicious, but they could lead to security events orother events of interest to be further analyzed. Thus, in one aspect, acause identification rule may flag this behavior as a root cause of asecurity event, or as an event that is otherwise of diagnostic interest.

As shown in step 416, the method 400 may include traversing the eventgraph forward from an identified or presumed cause of the security eventto identify one or more other ones of the computing objects affected bythe cause. In this manner, an analysis of each of the computing objectsin the event graph may be conducted by working forward from the rootcause to other causally dependent computing objects that might becompromised or otherwise affected by the root cause. This may includelabeling or otherwise identifying the potentially compromised objects,e.g. for remediation or further analysis. A pruning step may also beemployed, e.g. where any computing objects that are not causallydependent on the root cause in some way are removed from the eventgraph.

As shown in step 418, the method 400 may include remediating one or morecomputing objects affected by the cause of the security event.Remediation may include deleting computing objects from the endpoint, orotherwise remediating the endpoint(s) using computer security techniquessuch as any described herein. In another aspect, the identification ofthe root cause may be used to create new detection rules capable ofdetecting a security event at a point in time (or causation) closer tothe root cause within the event graph. Other remediation steps mayinclude forwarding the event graph, or a filtered and pruned eventgraph, to a remote facility for analysis. This data may usefully providea map for identifying sources of malware, or for ensuring thoroughremediation by identifying all of the potentially compromised computingobjects that should be examined after the compromise has been addressed.

FIG. 5 illustrates a graphical depiction of a portion of an exampleevent graph 500. The event graph 500 may include a sequence of computingobjects causally related by a number of events, and which provide adescription of computing activity on one or more endpoints. The eventgraph 500 may be generated, for example, when a security event 502 isdetected on an endpoint, and may be based on a data log or similarrecords obtained by an event data recorder during operation of theendpoint. The event graph 500 may be used to determine a root cause 504of the security event 502 as generally described above. The event graph500 may also or instead be continuously generated to serve as, or be apart of, the data log obtained by the data recorder. In any case, anevent graph 500, or a portion of an event graph 500 in a window beforeor around the time of a security event, may be obtained and analyzedafter a security event 502 occurs to assist in determining its rootcause 504. The event graph 500 depicted in the figure is provided by wayof example only, and it will be understood that many other forms andcontents for event graphs 500 are also or instead possible. It also willbe understood that while the figure illustrates a graphical depiction ofan event graph 500, the event graph 500 may be stored in any suitabledata structure or combination of data structures suitable for capturingthe chain of events and objects in a manner that preserves causalrelationships for use in forensics and malware detection as contemplatedherein.

By way of example, the event graph 500 depicted in the figure beginswith a computing object that is a USB device 512, which may be connectedto an endpoint. Where the USB device 512 includes a directory or filesystem, the USB device 512 may be mounted or accessed by a file systemon an endpoint to read contents. The USB device 512 may be detected 513and contents of the USB device 512 may be opened 514, e.g., by a user ofthe endpoint or automatically by the endpoint in response to detectionof the USB device 512. The USB device 512 may include one or more filesand applications, e.g., a first file 516, a second file 518, and a firstapplication 520. The first file 516 may be associated with a first event522 and the second file may be associated with a second event 524. Thefirst application 520 may access one or more files on the endpoint,e.g., the third file 526 shown in the figure. The first application 520may also or instead perform one or more actions 528, such as accessing aURL 530. Accessing the URL 530 may download or run a second application532 on the endpoint, which in turn accesses one or more files (e.g., thefourth file 534 shown in the figure) or is associated with other events(e.g., the third event 536 shown in the figure).

In the example provided by the event graph 500 depicted in the figure,the detected security event 502 may include the action 528 associatedwith the first application 520, e.g., accessing the URL 530. By way ofexample, the URL 530 may be a known malicious URL or a URL or networkaddress otherwise associated with malware. The URL 530 may also orinstead include a blacklisted network address that although notassociated with malware may be prohibited by a security policy of theendpoint or enterprise network in which the endpoint is a participant.The URL 530 may have a determined reputation or an unknown reputation.Thus, accessing the URL 530 can be detected through known computingsecurity techniques.

In response to detecting the security event 502, the event graph 500 maybe traversed in a reverse order from a computing object associated withthe security event 502 based on the sequence of events included in theevent graph 500. For example, traversing backward from the action 528leads to at least the first application 520 and the USB device 512. Aspart of a root cause analysis, one or more cause identification rulesmay be applied to one or more of the preceding computing objects havinga causal relationship with the detected security event 502, or to eachcomputing object having a causal relationship to another computingobject in the sequence of events preceding the detected security event502. For example, other computing objects and events may be tangentiallyassociated with causally related computing objects when traversing theevent graph 500 in a reverse order-such as the first file 516, thesecond file 518, the third file 525, the first event 522, and the secondevent 524 depicted in the figure. In an aspect, the one or more causeidentification rules are applied to computing objects preceding thedetected security event 502 until a cause of the security event 502 isidentified.

In the example shown in the figure, the USB device 512 may be identifiedas the root cause 504 of the security event 502. In other words, the USBdevice 512 was the source of the application (the first application 520)that initiated the security event 502 (the action 528 of accessing thepotentially malicious or otherwise unwanted URL 530).

The event graph 500 may similarly be traversed going forward from one ormore of the root cause 504 or the security event 502 to identify one ormore other computing objects affected by the root cause 504 or thesecurity event 502. For example, the first file 516 and the second 518potentially may be corrupted because the USB device 512 includedmalicious content. Similarly, any related actions performed after thesecurity event 502 such as any performed by the second application 532may be corrupted. Further testing or remediation techniques may beapplied to any of the computing objects affected by the root cause 504or the security event 502.

The event graph 500 may include one or more computing objects or eventsthat are not located on a path between the security event 502 and theroot cause 504. These computing objects or events may be filtered or‘pruned’ from the event graph 500 when performing a root cause analysisor an analysis to identify other computing objects affected by the rootcause 504 or the security event 502. For example, computing objects orevents that may be pruned from the event graph 500 may include the USBdrive 510 and the USB device being detected 513.

It will be appreciated that the event graph 500 depicted in FIG. 5 is anabstracted, simplified version of actual nodes and events on an endpointfor demonstration. Numerous other nodes and edges will be present in aworking computing environment. For example, when a USB device is coupledto an endpoint, the new hardware will first be detected, and then theendpoint may search for suitable drivers and, where appropriate, presenta user inquiry of how the new hardware should be handled. A user maythen apply a file system to view contents of the USB device and select afile to open or execute as desired, or an autorun.exe or similar filemay be present on the USB device that begins to execute automaticallywhen the USB device is inserted. All of these operations may requiremultiple operating system calls, file system accesses, hardwareabstraction layer interaction, and so forth, all of which may bediscretely represented within the event graph 500, or abstracted up to asingle event or object as appropriate. Thus, it will be appreciated thatthe event graph 500 depicted in the drawing is intended to serve as anillustrative example only, and not to express or imply a particularlevel of abstraction that is necessary or useful for root causeidentification as contemplated herein.

The event graph 500 may be created or analyzed using rules that defineone or more relationships between events and computing objects. The CLanguage Integrated Production System (CLIPS) is a public domainsoftware tool intended for building expert systems, and may be suitablyadapted for analysis of a graph such as the event graph 500 to identifypatterns and otherwise apply rules for analysis thereof. While othertools and programming environments may also or instead be employed,CLIPS can support a forward and reverse chaining inference enginesuitable for a large amount of input data with a relatively small set ofinference rules. Using CLIPS, a feed of new data can trigger a newinference, which may be suitable for dynamic solutions to root causeinvestigations.

An event graph such as the event graph 500 shown in the figure mayinclude any number of nodes and edges, where computing objects arerepresented by nodes and events are represented by edges that mark thecausal or otherwise directional relationships between computing objectssuch as data flows, control flows, network flows and so forth. Whileprocesses or files are common forms of nodes that might appear in such agraph, any other computing object such as an IP address, a registry key,a domain name, a uniform resource locator, a command line input or otherobject may also or instead be designated to be a node in an event graphas contemplated herein. Similarly, while an edge may be formed by an IPconnection, a file read, a file write, a process invocation (parent,child, etc.), a process path, a thread injection, a registry write, adomain name service query, a uniform resource locator access and soforth other edges may be designated. As described above, when a securityevent is detected, the source of the security event may serve as astarting point within the event graph 500, which may then be traversedbackward to identify a root cause using any number of suitable causeidentification rules. The event graph 500 may then usefully be traversedforward from that root cause to identify other computing objects thatare potentially tainted by the root cause so that a more completeremediation can be performed.

Using the systems and methods described herein may provide foradvantageous sandboxing techniques. For example, the sequence of eventsincluded in a data recorder or event graph may be executed within asandbox or the like in a similar manner as the sequence of eventsoccurred on the endpoint where a security event was detected. This maybe accomplished without replicating the entire action sequence of eventson the endpoint, e.g., using only a predetermined time window or apredetermined sequence of events. In this manner, information from thedata recorder may be used to replicate the actual order of events andprocesses that were involved in a security event. This may increase thelikelihood of a sample detonating in a useful manner for analyses.

FIG. 6 shows a method for malware detection using an event graph. Once aroot cause has been identified as described above, the event graphproximal to the root cause can be used to detect malware based on theemergence of a similar or identical event graph during malwaremonitoring. This potentially facilitates earlier detection by permittingdetection based on the root cause pattern rather than the (subsequent)beacon that initially triggered the search for a root cause duringforensic analysis. In addition, monitoring may be adapted to a currentsecurity context, e.g., by adding more monitoring points or decreasingfiltering (e.g., to gather more data at each point) when the securitystate worsens or there is a perceived increase in security risk. Ingeneral, the computing objects, events, event graph, and the likedescribed below may be any of those described above with respect to rootcause identification, with the characteristics of the root cause appliedfor prospective malware detection instead of or in addition toretroactive, forensic root cause analysis.

As shown in step 602, the method 600 may include instrumenting anendpoint to monitor a number of causal relationships among computingobjects at a plurality of logical locations within a computingenvironment related to the endpoint. Instrumentation may use anysuitable techniques for recording data as contemplated herein. Thecomputing objects may in general be any hardware or software computingobject such as a data file, a database record, a database, a directory,a file system, a file system path, a process, an application, anoperating system, a registry or registry entry, a network address, anetwork path, a peripheral device, a physical device (e.g., a diskdrive, optical drive, communications or network interface, keyboard,mouse, sensor, camera, microphone, etc.), and so forth. In general, thelogical locations may be any corresponding locations of diagnosticinterest that might be accessed or used by the computing objects withinthe computing environment, such as hardware/device interfaces, devicedrivers, a file system and/or directory, memory (e.g., RAM, cache,processor registers), operating system interfaces, applicationprogramming interfaces, network communication ports or interfaces, andany data sources of interest such as credential stores, systemregistries, system configuration files, and so forth. In one aspect,this may include logical locations separate from the endpoint, such aslocations on a second physical endpoint separate from the firstendpoint, or a web site, file server, mail server, or other remoteresource. By extending instrumentation beyond the individual endpoint,malicious software movements can be tracked throughout a network or fromone device to another in order to improve malware detections and thelike. The logical locations may also or instead include a programmaticinterface to a human interface device such as a mouse, keyboard, sensor,camera, microphone, or other input/output device. The logical locationsmay also or instead include peripherals or other devices attached to andcommunicating with the endpoint such as USB memory devices, flashdrives, and so forth.

Monitoring may be performed at various levels of granularity. Forexample, monitoring may include monitoring of specific memory locationsor file locations that are potentially of interest, such as bymonitoring reads and/or writes to specific file names, specificdirectories, and so forth. In another aspect, the instrumentation may beconfigured for variable monitoring. For example, where a high-risk stateis detected, filtering may be decreased so that, e.g., a file system orother resource is monitored more aggressively and additional events arecaptured. This heightened monitoring may be continued for apredetermined window, or until the high-risk state has passed, orindefinitely or until the occurrence of some specific event.

More generally, the instrumentation contemplated herein may include anyinstrumentation suitable for monitoring causal relationships amongcomputing objects at logical locations within a computing environmentfor an endpoint. The computing environment may be confined to thecomputing environment on a particular endpoint such as the hardware andsoftware associated with that endpoint. The computing environment maymore generally include any computing environment related to theendpoint, and may be extended to include other endpoints, remotecomputing resources such as websites, web servers, file servers, devicessuch as printers, copiers, watches, televisions, appliances, and soforth. More generally, any other location or resource that might providelogical locations useful for monitoring and diagnostic purposes may beincluded in the computing environment. In one aspect, this may includeother endpoints within a local area network or enterprise network usedby the endpoint, such as where another endpoint in the enterprisenetwork sends commands or data to the endpoint or receives commands ordata from the endpoint. In general, the instrumentation may includepredetermined instrumentation of specific logical locations. That is,the endpoint may be configured to provide causal information fromspecific logical locations, any of which may then be controllablyselected for observation after an initial configuration. In anotheraspect, instrumentation may include dynamic instrumentation that isdeployed as needed or desired for endpoint monitoring. Thus, forexample, where a new registry entry is created or a new file isdownloaded, that computing object may be monitored prospectively as anew logical location on the endpoint until it can be determined that thenew computing object is safe.

As shown in step 604, the method 600 may include selecting a set oflogical locations from the plurality of logical locations. This mayinclude adding one or more of the plurality of logical locations to thefirst set of logical locations in response to a detected increase insecurity risk. This may also or instead include removing one of theplurality of logical locations from the first set of logical locationsin response to a detected decrease in security risk. More generally,this may include adapting the monitored locations according to asecurity state of the endpoint so that more or less computing resourcescan be used as necessary or appropriate according to the current stateof risk.

In another aspect, selecting logical locations may include adapting themonitoring based on observed properties of objects within a computingenvironment. For example, computing objects such as files or processesmay be explicitly labelled with information about reputation, exposureto external networks, usage history, security status, and so forth. Oneuseful system for labeling objects in this manner is described by way ofexample in commonly-owned U.S. application Ser. No. 15/179,547, entitled“Network Security” and filed on Jun. 10, 2016, the entire content ofwhich is hereby incorporated by reference. Without limiting thegenerality of that disclosure, numerous techniques are described forlabeling processes, files, and other computing objects with usefulinformation for malware detection, reputation-based processing, and soforth. These and other techniques may be usefully employed to labelcomputing objects in any manner useful for evaluating a security stateof an endpoint (or specific computing objects on the endpoint), and forusing this security state to adapt the monitoring processes contemplatedherein.

For example, each file, process, or other object may be labelledaccording to whether the object has been exposed to an external networkor resource. In this manner, objects that have remained isolated on theendpoint can be distinguished from objects that have been exposedoutside of the endpoint (and that are thus potentially at risk forinfection or other malicious activity). Where exposure of computingobjects is explicitly tracked, selecting a set of logical locations mayinclude selecting a group from the plurality of logical locations basedon exposure to an external environment, e.g., where the exposure impliesa greater degree of security risk. Similarly, these techniques may beused to label computing objects according to reputation, which permitsthe use of a local or remotely managed reputation database to labelcomputing objects according to their own inherent reputation (e.g.,good, bad, low, unknown, etc.) or according to the reputation of othercomputing objects that a computing object has been exposed to, or somecombination of these. In this case, selecting a set of logical locationsmay include selecting a group from the plurality of logical locationsbased on a reputation, such as a reputation of one of the computingobjects, or a reputation of a group of computing objects. In general,reputation-based evaluations may be done at any suitable level ofgranularity or complexity. For example, where a known and goodreputation process is being used, the selection may include excludingone of the plurality of logical locations associated with the known,good process. This may also or instead include adding locationsassociated with processes of unknown reputation, or increasing thenumber of locations or level of monitoring when an inconsistency isdetected between a reputation of a first process and a reputation of asecond process calling or invoking the first process. More generally,where reputation information is available for computing objects on anendpoint, any inconsistencies between reputations of computing objectsthat are causally linked in an event graph, or any other reputationinformation that might be available for the computing objects, may beusefully employed to adapt monitoring as contemplated herein.

The reputation of computing objects may include a score (or other label,indication, weighting, and the like) of one or more of its prevalence,its provenance, and its pedigree. The prevalence of a computing objectmay include how the computing object has been seen on other machines orsystems. The provenance of a computing object may include its origin,e.g., where it came from, who created or signed it, and the like. Thepedigree of a computing object may allow for identification of thecreator of the computing object. For example, the pedigree may be basedon the public key of the certificate that signed software (e.g.,typically the first intermediate certificate). For URLs, this may bebased on the signed SSL server certificate. For software, this may bebased on the signed packet that contains the software (if present).Providence and prevalence may be uncovered by checking on the public keyof the certificate in question, and known good computing objects (orreputations or attributes thereof, e.g., certificates) may be hard codedinto a list for future lookup.

As shown in step 606, the method 600 may include recording a sequence ofevents causally relating the number of computing objects at the set oflogical locations selected in step 604. In general, this may includerecording any of the events described herein. This may also or insteadinclude filtering the recorded events more or less aggressivelyaccording to a security state or other information. For example, thismay include filtering one or more of the events in the sequence ofevents according to a reputation, such as by excluding events that arerelated to a known good process, or increasing data collection orsensitivity for events that are related to unknown or low reputationcomputing objects.

In one aspect, some or all of the events may have an aging or durationparameter such as a time to live. This permits appropriate aging ofevents according to their short-term or long-term diagnosticsignificance. For example, in lateral movement malware exploit, oneendpoint may try to log in to another endpoint using a series of loginattempts with different credentials. To detect this type of attemptedlateral movement, it may be useful to retain all login attempts for arelatively short period of time in order to see if a number of similarlogin attempts occur within a short time period. However, after thepassage of some time, any such failed login attempts might be discountedin significance, and aged out of the current event graph using asuitable time to live or other time constant. Thus, a number of eventswithin the sequence of events may be preserved for a predetermined timewindow. The predetermined time window may have a different duration forat least two of the types of computing objects contemplated herein,which may be useful where events for different computing objects (e.g.,remote resources, local files, processes, and the like) provideinformation with differing long-term or short-term value.

As shown in step 608, the method 600 may include creating an event graphbased on the sequence of events. The event graph may be continuouslycreated and updated by a data recorder—that is, the data recorder maystore the event graph as its native data logging format—or the eventgraph may be created on demand from a structured or unstructured datalog at discrete moments, e.g., in response to a request for an eventgraph from the data recorder. Thus, in one aspect, the data recorder mayfunction to continuously obtain data from a variety of sources orlocations in addition to the locations that have been selected formonitoring. While this additional data logging may require additionalcomputing resources to capture information beyond selecting monitoringpoints as well as additional storage, the additional data may alsoadvantageously permit retroactive reconstruction of malicious causalchains if potential malware has been detected. Thus, in one aspect, adata recorder may record additional data from instrumentation pointsoutside the scope of the logical locations that are currently explicitlybeing monitored. The data recorder may have a prioritized list oflogical locations, and may record additional data based on theprioritized list of logical locations.

As described herein, the event graph may generally associate a number ofcomputing objects to one another through events that establish causalrelationships. In general, the causal relationships may include a dataflow, a control flow, or a network flow, or any other type of event orthe like that causally relates one computing object to other computingobjects within an endpoint computing environment.

As shown in step 610, the method may include evaluating a security stateof the endpoint. In one aspect, this may include evaluating the securitystate of the endpoint based on the event graph, such as by applying amalware detection rule to the event graph. This may provide usefuldiagnostic information by comparing the current event graph to one ormore graphs for root causes that have been identified as describedabove, or by comparing the current event graph to other patterns ofevents that show a causal relationship among computing objects that issuggestive or indicative of malicious activity.

It will be appreciated that other techniques may also or instead beemployed to evaluate the security state of the endpoint, such assignature-based malware detection, behavioral malware detection, or anyother techniques known in the art to be useful for detecting thepresence of malware on an endpoint. These techniques may provideadditional information that may be useful for a general evaluation ofthe security state of the endpoint, which may be used instead of or inaddition to event-based techniques to evaluate the security state of anendpoint and to inform other event-based monitoring steps.

As shown in step 612, the method 600 may include adjusting the set oflogical locations according to the security state of the endpoint. Ingeneral, this may include adding a new logical location or removing anexisting logical location. Thus, this may generally include selecting asecond set of logical locations different from the first plurality oflogical locations in response to an observed event graph for thesequence of events. This may also or instead include changing a level offiltering at one of the set of logical locations according to thesecurity state of the endpoint. In another aspect, any of the selectioncriteria described above for use with an initial selection of monitoringlocations (e.g., in step 604) may also or instead be employed ascriteria for adding, removing, or filtering logical locations in orderto adjust the monitoring in response to a security state. It will alsobe understood that, while the event graph may generally provide usefulinformation about the security state of the endpoint, other informationmay also or instead be used to evaluate the security state and modifythe monitoring process accordingly. For example, the monitoring may beadjusted based on a detection of malware obtained from another sourcesuch as an antivirus scanner or the like, or the monitoring may beadjusted based on exposure to external resources, reputationinformation, or any other information that might be available forprocesses, files, and the like as contemplated herein.

As shown in step 614, the method 600 may include remediating theendpoint when the security state is compromised, for example, when acombination of a malware detection rule and the event graph indicate acompromised security state. This may include any suitable form ofremediation. For example, where evaluating the security state includesidentifying one of the computing objects (or a group of the computingobjects) as a cause of a compromised security state, the method 600 mayinclude remediating that one of the computing objects. Remediation mayalso or instead include traversing the event graph forward from thecause to identify one or more other ones of the computer objectsaffected by the cause, any of which may be similarly remediated.

Numerous remediation techniques are known in the art and may be usefullyemployed to remediate an endpoint, or one or more computing objects onan endpoint, as contemplated herein. This may for example includequarantining or isolating the endpoint to prevent interactions withother devices on a network. This may also or instead include deployingmalware removal tools to the endpoint, or launching a malware removaltool that is already on the endpoint, to remove malware that has beendetected. This may also include intermediate steps such as terminatingprocesses, deleting logs, clearing caches, or any other steps orcombination of steps suitable for removing malicious software from theendpoint and/or restoring the endpoint to an uninfected state. This mayinclude notifying an administrator or user. This may include reporting ahealth state that indicates compromise, for example, as part of aheartbeat health report.

According to the foregoing, there is also contemplated herein anendpoint that uses an adaptive event graph for malware detection. Ingeneral, the endpoint may include a network interface, a memory, and aprocessor. The processor may be configured by computer executable codestored in the memory to detect malware by performing the steps ofinstrumenting the endpoint to monitor a number of causal relationshipsamong a number of computing objects at a plurality of logical locationswithin a computing environment related to the endpoint, selecting afirst set of logical locations from the plurality of logical locations,recording a sequence of events causally relating the number of computingobjects at the first set of logical locations, creating an event graphbased on the sequence of events, applying a malware detection rule tothe event graph, and remediating the endpoint when the malware detectionrule and the event graph indicate a compromised security state. Theprocessor may be further configured to adjust the set of logicallocations by adding a new logical location, removing an existing logicallocation, or changing a level of filtering at one of the set of logicallocations according to a security state of the endpoint.

The above systems, devices, methods, processes, and the like may berealized in hardware, software, or any combination of these suitable fora particular application. The hardware may include a general-purposecomputer and/or dedicated computing device. This includes realization inone or more microprocessors, microcontrollers, embeddedmicrocontrollers, programmable digital signal processors or otherprogrammable devices or processing circuitry, along with internal and/orexternal memory. This may also, or instead, include one or moreapplication specific integrated circuits, programmable gate arrays,programmable array logic components, or any other device or devices thatmay be configured to process electronic signals. It will further beappreciated that a realization of the processes or devices describedabove may include computer-executable code created using a structuredprogramming language such as C, an object oriented programming languagesuch as C++, or any other high-level or low-level programming language(including assembly languages, hardware description languages, anddatabase programming languages and technologies) that may be stored,compiled or interpreted to run on one of the above devices, as well asheterogeneous combinations of processors, processor architectures, orcombinations of different hardware and software. In another aspect, themethods may be embodied in systems that perform the steps thereof, andmay be distributed across devices in a number of ways. At the same time,processing may be distributed across devices such as the various systemsdescribed above, or all of the functionality may be integrated into adedicated, standalone device or other hardware. In another aspect, meansfor performing the steps associated with the processes described abovemay include any of the hardware and/or software described above. Allsuch permutations and combinations are intended to fall within the scopeof the present disclosure.

Embodiments disclosed herein may include computer program productscomprising computer-executable code or computer-usable code that, whenexecuting on one or more computing devices, performs any and/or all ofthe steps thereof. The code may be stored in a non-transitory fashion ina computer memory, which may be a memory from which the program executes(such as random access memory associated with a processor), or a storagedevice such as a disk drive, flash memory or any other optical,electromagnetic, magnetic, infrared or other device or combination ofdevices. In another aspect, any of the systems and methods describedabove may be embodied in any suitable transmission or propagation mediumcarrying computer-executable code and/or any inputs or outputs fromsame.

It will be appreciated that the devices, systems, and methods describedabove are set forth by way of example and not of limitation. Absent anexplicit indication to the contrary, the disclosed steps may bemodified, supplemented, omitted, and/or re-ordered without departingfrom the scope of this disclosure. Numerous variations, additions,omissions, and other modifications will be apparent to one of ordinaryskill in the art. In addition, the order or presentation of method stepsin the description and drawings above is not intended to require thisorder of performing the recited steps unless a particular order isexpressly required or otherwise clear from the context.

The method steps of the implementations described herein are intended toinclude any suitable method of causing such method steps to beperformed, consistent with the patentability of the following claims,unless a different meaning is expressly provided or otherwise clear fromthe context. So, for example performing the step of X includes anysuitable method for causing another party such as a remote user, aremote processing resource (e.g., a server or cloud computer) or amachine to perform the step of X. Similarly, performing steps X, Y and Zmay include any method of directing or controlling any combination ofsuch other individuals or resources to perform steps X, Y and Z toobtain the benefit of such steps. Thus, method steps of theimplementations described herein are intended to include any suitablemethod of causing one or more other parties or entities to perform thesteps, consistent with the patentability of the following claims, unlessa different meaning is expressly provided or otherwise clear from thecontext. Such parties or entities need not be under the direction orcontrol of any other party or entity, and need not be located within aparticular jurisdiction.

It will be appreciated that the methods and systems described above areset forth by way of example and not of limitation. Numerous variations,additions, omissions, and other modifications will be apparent to one ofordinary skill in the art. In addition, the order or presentation ofmethod steps in the description and drawings above is not intended torequire this order of performing the recited steps unless a particularorder is expressly required or otherwise clear from the context. Thus,while particular embodiments have been shown and described, it will beapparent to those skilled in the art that various changes andmodifications in form and details may be made therein without departingfrom the spirit and scope of this disclosure and are intended to form apart of the invention as defined by the following claims, which are tobe interpreted in the broadest sense allowable by law.

What is claimed is:
 1. A computer program product for malware detectioncomprising computer executable code embodied in a non-transitorycomputer readable medium that, when executing on one or more computingdevices, performs the steps of: instrumenting a first endpoint tomonitor a number of causal relationships among a number of computingobjects at a set of logical locations within a computing environment ofthe first endpoint; recording a sequence of events causally relating thenumber of computing objects at the set of logical locations; creating anevent graph based on the sequence of events; detecting a malware eventon the first endpoint based on an analysis of one or more of thesequence of events at a threat management facility for an enterprisenetwork associated with the first endpoint; traversing the event graphin reverse order from a point of the malware event to identify a rootcause of the malware event; creating a malware detection rule to detectthe malware event based on an emergence of a similar event graph to apattern related to the root cause using a portion of the event graphproximal to the root cause; instrumenting a second endpoint to detectthe malware event based on the malware detection rule; detecting themalware event on the second endpoint using the malware detection rule toidentify the emergence of the similar event graph proximal to the rootcause; and initiating a remediation of the second endpoint when themalware event is detected.
 2. The computer program product of claim 1,wherein the second endpoint resides on a cloud computing resource. 3.The computer program product of claim 1, wherein the first endpointresides on a cloud computing resource.
 4. A method for malwaredetection, the method comprising: instrumenting a first endpoint tomonitor a number of causal relationships among a number of computingobjects at a set of logical locations within a computing environment;recording a sequence of events causally relating the number of computingobjects at the set of logical locations; creating an event graph basedon the sequence of events; detecting a malware event on the firstendpoint; traversing the event graph in reverse order from a point ofthe malware event to identify a root cause of the malware event;creating a malware detection rule to detect the malware event based onan emergence of a similar event graph to a pattern related to the rootcause using a portion of the event graph proximal to the root cause; andinstrumenting a second endpoint to detect the malware event based on themalware detection rule.
 5. The method of claim 4, further comprisinginitiating a remediation of the second endpoint when the malware eventis detected on the second endpoint based on the malware detection rule.6. The method of claim 4, further comprising generating an alert whenthe malware event is detected on the second endpoint based on themalware detection rule.
 7. The method of claim 4, further comprisingadjusting the set of logical locations for monitoring in response to achange in a security risk for the first endpoint.
 8. The method of claim4, wherein the second endpoint includes one or more of a web site, afile server, and a mail server.
 9. The method of claim 4, wherein thesecond endpoint resides on a cloud computing resource.
 10. The method ofclaim 4, further comprising filtering one or more events in the sequenceof events based on reputation.
 11. The method of claim 4, wherein theset of logical locations includes at least one programming interface toa human interface device.
 12. The method of claim 4, wherein the numberof causal relationships includes at least one of a data flow, a controlflow, and a network flow.
 13. The method of claim 4, wherein the numberof computing objects include one or more of a data file, a process, anapplication, a registry entry, a network address, and a peripheraldevice.
 14. The method of claim 4, wherein a number of events within thesequence of events are preserved for a predetermined time window, andwherein the predetermined time window has a different duration for atleast two different types of computing objects.
 15. The method of claim4, wherein the first endpoint and the second endpoint are within anenterprise network.
 16. The method of claim 4, wherein recording thesequence of events includes recording the sequence of events in a datalog stored on the first endpoint.
 17. The method of claim 4, whereinrecording the sequence of events includes recording the sequence ofevents in a data log hosted at a threat management facility.
 18. Themethod of claim 4, wherein the malware event includes a movement ofmalicious software through a network from one device to another.
 19. Asystem comprising: a first endpoint having a first network interface, afirst memory, and a first processor; a second endpoint having a secondnetwork interface, a second memory, and a second processor; and computerexecutable code stored in the first memory and the second memory thatconfigures the first processor and the second processor to perform thesteps of instrumenting the first endpoint to monitor a number of causalrelationships among a number of computing objects at a set of logicallocations within a computing environment, recording a sequence of eventscausally relating the number of computing objects at the set of logicallocations, creating an event graph based on the sequence of events,detecting a malware event on the first endpoint, traversing the eventgraph in reverse order from a point of the malware event to identify aroot cause of the malware event, creating a malware detection rule todetect the malware event based on an emergence of a similar event graphto a pattern related to the root cause using a portion of the eventgraph proximal to the root cause, and instrumenting the second endpointto detect the malware event based on the malware detection rule.
 20. Thesystem of claim 19, wherein at least one of the first processor and thesecond processor resides on a cloud computing resource.